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IT PRO PERSPECTIVE 


Crockett 

"IT organizations in our audience are 
spending slightly more on most categories 
of software, hardware, and services." 



2009 IT Spending Promising Among Readers 

Windows IT Pro survey results 


A lthough the IT industry is awash with evidence that 
budgets are tight, recent survey results indicate that 
our audience is faring better than expected in terms 
of IT spending on products, services, and IT staffing. 
Each year, Windows IT Pro commissions an inde¬ 
pendent survey of its print, email, and web audience, 
which represents organizations with an average of approximately 
5,900 employees and $3.2 billion in revenue (with a median of about 
$27.4 million in revenue) across a range of industries. The results 
buck some industry predictions and point to some interesting shifts 
in the proportion of Windows and non-Windows systems. 

In July, Gartner revised its forecast of IT spending in 2009 down¬ 
ward from $3.4 trillion to $3.2 trillion, a 6 percent decline—signifi¬ 
cantly steeper than the 3.8 percent decline the analyst firm predicted 
in March 2009. But according to data collected in summer 2009, IT 
organizations in our audience are spending slightly more on most 
categories of software, hardware, and services. The anticipated aver¬ 
age annual expenditure for computer software increased slightly, 
from $1.77 million in 2008 to $2.58 million in 2009. Respondents 
stated that spending on computer systems will increase from $2.81 
million in 2008 to $3.39 million in 2009. Spending on storage and 
peripherals is expected to remain flat for 2009, at an average of $2.44 
million. Security and business continuity expenditures are expected 
to increase only slightly, from an average of $1.93 million in 2008 to 
$1.98 million in 2009. The only drop in spending predicted is in the 
category of networking and telecommunications, from an average 
of $3.06 million in 2008 to $2.44 million in 2009. 

Within the category of computer systems spending, organizations 
in our audience are planning to purchase significantly more Windows 
workstations and servers for new deployments and upgrades in the 
next 12 months than they were at this time in 2008. Respondents indi¬ 
cated that they are planning to add an average of683.9 servers in 2009, 
up from 309.2 in 2008—a dramatic increase driven for the most part by 
Windows Server 2008 deployments. Linux additions are increasing as 
well, with respondents indicating that they plan to purchase an aver¬ 
age of 11.2 Linux servers or workstations within the next 12 months, an 
increase from 9.6 at this time last year. The number of UNIX and Mac 
servers or workstations that organizations plan to purchase within the 
next 12 months is dropping, representing an ever-smaller role in our 
audience's organizations. 

The increase in the purchase of Linux servers is a trend that has 
been in motion for the past few years among our audience, with 41 


percent of respondents indicating that Linux servers were currently 
in use in 2009, essentially flat with 2008. Among our audience, Win¬ 
dows Server 2008 has stolen a bit of the thunder from Linux, but even 
so, 19 percent of our audience indicated that they plan to purchase 
new Linux servers before 2010. 

The best news coming out of our survey is that IT spending on 
both outsourcing or consulting and staffing will increase in 2009 
over 2008—perhaps in part to handle the upcoming Windows Server 
2008 R2 and Windows 7 deployments. A whopping 66 percent of 
our audience has deployed or plans to deploy Windows Server 
2008 before the end of 2010, and 66 percent have deployed or plan 
to deploy Windows 7 before the end of 2010. IT expenditures on 
consulting and outsourcing among our audience are expected to 
increase from an average of $2.04 million in 2008 to an average of 
$3.57 million in 2009. 

Keep in mind that these figures represent averages among a 
huge range of companies. We have some very large companies 
represented in our audience (those with more than $25 billion in 
revenue, for example), so those companies tend to skew the spend¬ 
ing averages. But even so, the year-over-year trend is not as dismal 
as we might have expected. 

Lor small to medium-sized businesses (SMBs) that have fewer 
resources at their disposal, a focus on judicious software and hard¬ 
ware spending can help IT organizations save money in the long 
run by helping workers increase their productivity. Michael Risse, 
former vice president of the Worldwide Small and Midmarket Busi¬ 
ness Group at Microsoft, commented in an interview earlier this 
year (www.windowsitpro.com, InstantDoc ID 102451) that SMBs 
typically spend first in core infrastructure—to ensure security and 
reliability—and second in employee productivity. Risse believes 
that strategic software spending is critical to helping businesses save 
money. 

The huge wave of product releases coming up from Microsoft 
this fall will certainly help spur spending, as indicated by our survey 
results. The light can't come fast enough in this economic tunnel. 
Lor our audience, at least, it seems things are no longer pitch black. 
It's a start. ^ 

InstantDoc ID 102535 

MICHELE CROCKETT (michele.crockett@penton.com) helped launch 
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within Penton Media, and is currently editorial and custom strategy director 
of Windows IT Pro, SQL Server Magazine, and Systemi Network. 
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■ Windows 7 Test 

■ VMware ESX 3.5 


Windows 7 Test Drive 

After reading Michael Otey's article "Windows 
7 in the Enterprise" (June 2009, InstantDoc 
ID 101885), I took the Windows 7 Release 
Candidate (RC) for a test drive on my Dell 
Latitude D600 laptop, currently running Win¬ 
dows XP SP3.The system has a 1.7GHz Intel 
processor, 1GB RAM, an ATI Mobility Radeon 
9000 video card, a Broadcom 570x NIC, and 
an Intel Pro Wireless LAN 2100 3a Mini PCI 
adapter. (A few years ago, I tried upgrading to 
Windows Vista 32-bit but couldn't find sup¬ 
port for the hardware components.) I use this 
relatively old computer for Microsoft Office, 
remote controlling other computers with 
the RDP client, and running guest machines 
under Virtual PC 2007. My only concern is 
an increasing slowness as more and more 
Microsoft patches are applied. 

The promise of a more nimble, lighter- 
footprint OS from Microsoft intrigued me, so I 
downloaded the Windows 7 RC. I burned the 
download to a DVD and installed a spare disk 
drive on my laptop so that I wouldn't have to 
go back to square one if the test didn't work. 

The installation was relatively fast, and 
the laptop booted quickly. The Microsoft 
standard VGA drivers worked well, and I had 
a functioning wired Ethernet connection. I 
needed sound, so I installed Sigmatel audio 
drivers from Dell. Before I work on a new OS 
installation on a laptop or workstation, I get 
the latest drivers from the manufacturer's 
website and compile them on a CD. If the 
NIC doesn't"light up," I can install any drivers 
on the spot. I was unable to find any drivers 
for the ATI video; however, the Microsoft- 
supplied drivers were good enough. 

My problem was the Intel Pro Wireless 
2100 3A adapter. A notebook without wire¬ 
less capability wouldn't do. I downloaded 
drivers for Vista from the Intel download site 
and connected to my home network. At last, 

I had a fully functioning computer! Now for 
the real test: I needed antivirus, so I down¬ 


■ OpenOffice Info 


loaded Avast! Home edition, then installed 
Microsoft Office 2007 and Virtual PC 2007. 

While I'm not running in an enterprise 
environment, I find the Windows 7 startup 
to be surprisingly quick and application per¬ 
formance to be adequate to my needs. Also, 
if you're familiar with Vista, the Ul isn't much 
different, and the UAC seems to be reason¬ 
able with its default setting. All things consid¬ 
ered, Microsoft may be on to something. 

—John Swanson 

VMware ESX 3.5 and Processor- 
Virtualization Changes 

I read John Savill's FAQ,"Does VMware ESX 
3.5 require a 64-bit processor with hard¬ 
ware virtualization features?" (InstantDoc ID 
102301). John says "ESX 3.5 doesn't currently 
take advantage of the hardware assist tech¬ 
nologies (Ring -1) in the Intel and AMD proc¬ 
essors. VMware uses binary translation, which 
they have found gets better performance 
than the native hardware virtualization in 
processors.'The understanding is that future 
versions of VMware will utilize some of the 
hardware-virtualization assistance. 

Actually, ESX 3.5 does. VMware was one 
of the first virtualization vendors to recognize 
hardware I/O virtualization, with support 
for Intel-VT, AMD-V, N Port ID Virtualization 
(NPIV) on Fibre Channel cards, and switches 
and nest-page-tables for memory. Also, ena¬ 
bled Intel-VT—which supports long-mode 
processors—is a requirement to get a 64-bit 
OS to work on ESX 3.5. In reality, VMware 
uses a combination of Direct Execute (the 
cause of CPU-compatible requirements 
forVmotion, aka live migration) and binary 
translation for virtual interrupts (in the main 
networking and disk access). VMware also 
supports paravirtualization if the guest OS is 
compiled appropriately, as with Fedora Linux. 

Finally, for some time, it's been possible to 
virtualize ESX on ESX and VMware Worksta¬ 
tion. Doing so requires editing a configura- 


OpenOffice and Terminal 
Services 

I was just reading Jeff James' "Open- 
Office 3.0 Challenges Microsoft's Office 
Dominance"(InstantDoc ID 100545). 

I've been considering OpenOffice as a 
replacement for Microsoft Office 2003. 
However, I've been unable to find any 
information about how the product 
performs in both Terminal Services and 
VMware ESX environments. I'd love any 
information you can provide. 

—Dave Warnes 

You shouldn't have any trouble virtual¬ 
izing OpenOffice 3.0, but I've heard mixed 
reports about using OpenOffice with 
Terminal Services. For example, checkout 
the comments that follow the article "Ter¬ 
minal Services Plus OpenOffice Equals" 
(iesmurphy.com/2009/01/25/terminai- 
services-plus-open-office-equals). An 
article from our site that you might find 
handy is "OpenOffice Registry Fix" 
(windowsitpro.com/article/articleid/ 
93970). Finally, the OpenOffice.org sup¬ 
port forum (support.openoffice.org) might 
also be helpful. 

—Jeff James 


tion file (.vmx) to open a backdoor, but 
afterward you can run ESX on ESX, and even 
run a virtual machine (VM) on the "virtualized 
ESX"VM—pretty crazy stuff, but handy for 
people who want to test the VMware prod¬ 
ucts with limited hardware resources. 

—Mike Laverick 

Ichecked with the VMware engineers, who 
responded, "Both answers are somewhat cor¬ 
rect. VMware doesn't use Intel-VT and AMD-V in 
ESX 3.5, except for 64-bit VMs. VMware's binary 
translation was found to be faster for most 
workloads than Intel-VT or AMD-V. FiyperVand 
Xen require Intel-VT/AMD-V for all VMs as they 
leverage the VM monitor (VMM) that Intel-VT 
and AMD-V provide." I've updated the FAQ 
to point out that the processor assist is used 
for 64-bit VMs. Thanks for bringing this to my 
attention. ^ 

—John Savill 

InstantDoc ID 102491 
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BEST PRACTICES 

for Storage Management 
and High Availability in 
your Microsoft Data Center 

Keeping your storage system, data, and applications available to your users when and where they need it, reliably 
and without fail, requires a solid set of operational practices and technologies that enable IT to deliver on the ser¬ 
vice level requirements of business users. These requirements go across business and departmental boundaries 
and should be established as fundamental underlying goals of IT throughout the enterprise. The combination of 
management practices and software will enable IT to meet the storage, availability and disaster recovery require¬ 
ments of the business. 


Single Management Infrastructure 

While there are several methods and applications designed to manage storage, application availability, and disaster 
recovery, the most efficient method throughout the enterprise requires standardizing on a management platform 
that supports all of the software and hardware that you are deploying. Management needs to support both physi¬ 
cal and virtual servers, clustering (local and remote), and offer reporting and proactive alerting services that cover 
the gamut of data center storage, availability, and disaster recovery operations. Support should be cross-platform, 
allowing the implementation of a similar tool set and associated standardized procedures across operating systems 
(Windows, UNIX, and Linux). 
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Efficient Storage Utilization 

By its very nature, storage is dynamic and it is very easy to waste resources by investing in more storage than is 
necessary to meet the current requests and estimated near future needs of application owners. Efficient online 
storage administration gives IT the ability to make storage available, as necessary, by allowing dynamic growth 
or reallocation of storage to services and applications that need storage now, while adjusting the amount and 
location of storage and data throughout the enterprise to meet short and longerterm business needs. Support for 
technologies such as storage virtualization and the ability to reclaim unused storage, redesign improperly config¬ 
ured storage or to move data from one type of storage to another while systems and applications remain online 
allow for a reduction in both storage and operational expenses. It is imperative that online storage operations 
have consistency in both physical and virtual environments—differing functionality, differing infrastructure soft¬ 
ware which leads to differing operational processes increase resource investment costs. For example, migration of 
storage while the Windows Server and application are online in the physical environment should also translate to 
the virtual environment—online storage migration while the Hyper-V virtual machine remains online—without 
having to rely on different tool sets to complete this task. 


High Availability & Disaster Recovery 

Achieving high availability and disaster recovery needs to be architected for the application from an end to end 
perspective—storage through server through application. For applications with critical data on shared storage, 
availability from the host to the critical shared storage can be achieved through the use of multi-pathing. In a 
Windows environment, multi-pathing should adhere to the Microsoft MPIO framework, provide a broad coverage 
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of array support, and provide additional benefits of tuning the I/O load balancing configuration to the right algo¬ 
rithm that best suits the environment and performance of the application and advanced path management. 


Clustering and replication, whether the topology is local, stretch, or wide area, address many of the high-avail¬ 
ability and disaster recovery needs of enterprise IT organizations from a server and application perspective. For 
optimum availability, there needs to be direct support and built in knowledge for standard enterprise Windows 
applications and services such as Microsoft Exchange Server, Microsoft SQL Server, Microsoft SharePoint Server, 
Microsoft IIS and Microsoft File and Print services. Additionally, this support and protection should be extensible 
to both physical and virtual environments. Cluster support should have no single point of failure, and should be 
able to automatically, and gracefully, move supported applications and necessary data to an available server with 
little or no impact on the end-user experience. Both software- and hardware-based replication technologies 
should be supported, ensuring that a local or stretch topology can be easily extended to wide area, to achieve 
truly integrated application and data disaster recovery. 


Ease of Use 

Storage management, availability, and disaster recovery software is often complex and difficult to install and 
configure. This tends to cause IT users to not take full advantage of the software's available features. The best 
solutions will offer wizard-driven installation and configuration options—not just for the basic installation 
and setup but also for the more complex high availability and disaster recovery configurations. You also 
should be able to fine tune the configurations as more information is obtained on use and operation. 


Automation 

Automation capabilities cover a broad spectrum of requirements, from the generation of system or applica¬ 
tion reports to dynamic I/O balancing, intelligent and optimized application movement based on a system 
workload to optimizing the tuning of storage and availability operations. Ideally this automation requires a 
minimum of IT interaction to configure and maintain. Storage management, availability and disaster recovery 
software should be capable of allowing IT to set conditions and from that point utilize the conditions estab¬ 
lished by IT to optimize the performance of the storage and applications, generate automatic alerts, create 
reports, or any combination of these actions that allow for a more efficient storage operation and reliable 
availability environment. For example, as the software detects a failing disk, it would generate an alert, begin 
the automated migration of data to a healthy disk, and generate a report on the process when complete, 
allowing IT to see what has occurred and the corrective action taken to address the impending failure. In ad¬ 
dition, automated testing of capabilities and features related to clustering and high availability, such as being 
able to test fail-over without disturbing the production instance of an application, can provide a high level of 
confidence in the availability and disaster recovery solution without the business impact of downtime or the 
operational impact of building and testing an entire replica environment. 
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SSD with SQL Server 2008 
Saves Power 


Humphries 

The missing link to 
IT resources 



Findings from an end-user com¬ 
parison of solid-state drives to 
traditional serial-attached SCSI 
(SAS) disk usage on SQL Server 

2008 report a significant increase 
in overall potential user load and 
scaling, while providing improved 
response time, as well as a 45 
percent power savings in a 15,000 
user configuration. Read the 
performance report to get more 
results and learn how a solid-state 
drive can provide a better end- 
user experience. 
windowsitpro.com/go/SSDforSQL08 

SharePoint Success, 
eLearning series with Dan 
Holme—September 24, 

2009 

Learn from the best, get your 

questions answered, and take 

away prescriptive guidance for 

successful SharePoint governance 

and administration. Get more info 

about the speaker, sessions, and 

how to reserve your seat at: 

windowsitpro.com/go/SharePointSucces- 

seLearning 

New from Left-Brain.com: 
Exchange Server 2007 
Training Package 

If you want to master Exchange 
Server 2007, you can't replace real 
world experience, but this inten¬ 
sive, 21 -hour training course can 
easily eliminate up to four years of 
trial, error, and frustration! You'll 
learn how to avoid the costly mis- 
configurations that even the most 
seasoned experts make. 
windowsitpro.com/go/ExchangeServer 


SuperSite's Superman on Office 2010 
and Windows 7 

Soar to new heights with Windows IT Pro expert tips on 
these new releases 


I s it a bird? Is it a plane? No it's Paul's 
SuperSite for Windows! Faster than 
a speeding virus, more powerful 
than SharePoint, and able to leap 
to TechEd in a small bound. While 
apps and platforms serve as tools to 
make our days better, it's our peers, favorite 
pros, and their opinions that turn out to save 
the day. IT superhero Paul Thurrott (picture 
more crew-neck t-shirts than flowing capes) 
and his SuperSite for Windows have all of 
the insights that you need to determine what 
products will be heroes or zeroes for you. 

Last month in "Are You Into Server 2008 
R2?" (InstantDoc ID 102288), we took a look 


helpful charts and explanations. 

"Windows 7 FAQ," winsupersite.com/ 
win7/faq.asp: Flit the resource bull's-eye 
with Paul's central location for accurate 
Windows 7 information. 

"Office 2010 Details Emerge," Instant- 
Doc ID 102140: Learn what Microsoft Office 
features you can expect to see—and what 
past features will be nowhere to be seen—in 
the upcoming version. 

"Office 2010 Technical Preview: A Super- 
Site Special Report," winsupersite.com/ 
office/office2010_tp.asp: Check out Paul's 
4-part report on the upcoming release and 
his answer to this question: "How, exactly, 


While apps and platforms serve as tools 
to make our days better, it's our peers, 
favorite pros, and their opinions that turn 
out to save the day. 


at resources from Paul and others that show¬ 
cased the latest features in Windows Server 
2008 R2. This month, see reviews and web- 
exclusive posts to help you determine which 
direction you'd like to take with Microsoft 
Office 2010 and Windows 7. 

"Windows 7 Clean Install Screens," 
winsupersite.com/win7 / clean_install.asp: 
See and believe with Paul's play-by-play 
screenshots, walking you through the entire 
process of the preferred method for install¬ 
ing Windows 7. 

"Windows 7 Product Editions Compar¬ 
ison," winsupersite.com/win7/win7_slcus_ 
compare.asp: Pick the Windows 7 product 
edition that makes the most sense for you, 
based on your needs and wants, with these 


do you improve on a product line that is as 
mature and full-featured as Office?" 

"Office 2010 FAQ," winsupersite.com/ 
office/office2010_faq.asp: Find out what 
readers are asking about Office 2010. 

Let us know whether these new releases 
will be your friends or foes. Plus, we're 
looking into costume and sidekick ideas for 
Paul. You can send your entries to letters@ 
windowsitpro.com. ^ 

InstantDoc ID 102480 

This article marks my final entry in the Your 
Savvy Assistant column. Thank you all for 
your support; feedback, and friendship! I hope 
that this column has been valuable to you. 
Stay tuned to see what's next for this page. 
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Thurrott 

"For the first time. Office 2010 will be available 
in 32-bit and 64-bit versions, which means Excel 
2010 will be able to work with massive data sets." 


NEED TO KNOW 


What You Need to Know About Microsoft Office 2010 
Technical Preview 


D uring the first half of 2010, Microsoft will release Office 
2010, along with other applications, servers, and web 
services that will make up the Office 2010 wave. Before 
then, however, customers can evaluate these technolo¬ 
gies in the Office 2010 Technical Preview. This month, 
I focus on the end-user application suite, Office 2010. 
Here's what you need to know about Microsoft Office 2010 Technical 
Preview. 

Historical Perspective 

Microsoft Office is a phenomenon, installed on over 500 million 
PCs worldwide and unassailable by any competition. The suite has 
evolved from a software bundle into a family of integrated products 
that spans the PC desktop, Windows Mobile devices, and, in Office 
2010, the web. (Office also includes server-based components such 
as SharePoint that well examine at a later time.) 

Office outgrew the standard UI found in Windows applications, 
and in Office 2007, Microsoft began deploying the Ribbon UI, a graph¬ 
ical and discoverable interface. In Office 2010, that UI appears in all 
Office applications as well as the web-based Office Web Applications 
and SharePoint on the web, offering a consistent UI across all Office 
access points. Microsoft continues its innovation of productivity UIs 
with Microsoft Backstage View, which combines common application 
functions into a simpler, more discoverable interface. 

Looking at the Technical Preview 

The Office 2010 Technical Preview includes updates to all of the 
familiar applications. Improvements include the aforementioned 
BackStage View feature; Paste Preview, which puts common paste 
options in a handy tool tip; and picture-editing capabilities, which are 
provided directly inside the appropriate applications. 

For the first time, Office 2010 will be available in both 32-bit and 
64-bit versions, which means Excel 2010 will be able to work with mas¬ 
sive, memory-intensive (over 4GB) spreadsheets and data sets. Excel 
also picks up in-cell charts and graphs called Sparklines, which pro¬ 
vide at-a-glance access to trend data. New Slicers visually filter data, 
such as pivot tables, for easier interactivity. And you can now upload 
spreadsheets to SharePoint Server 2010, providing web-based users 
with the same functionality found in the Excel Windows application. 

Outlook 2010 picks up the Ribbon UI to good effect, and Outlook 
is, in many ways, the most dramatically improved application in the 
suite. A new MailTips feature alerts you when you're about to send 


an inappropriate email, such as to a group that includes recipients 
outside your organization. 

A new Ribbon-based Quick Steps feature exposes a gallery of 
multi-command tasks, like "Reply and Delete" and "Team E-mail," 
that you can access in one click. (Best of all, you can make your own 
tasks.) 

A new Conversation View helps manage multi-email conversa¬ 
tions, and a new Clean Up tool removes repeated text from multiple 
emails, making the thread more readable. 

Building on its ability to insert video, PowerPoint 2010 now lets you 
edit that video in the application, compress it, and change the video's 
shape, border, effects, and other properties. PowerPoint can also 
"broadcast" presentations to the web, so users can view presentations 
even when they don't have the application installed. (This feature 
works with IE, Firefox, and even Safari.) 

Word 2010 offers improved typography, new text effects, integrated 
picture editing, and a greatly improved Document Map feature, which 
helps you work with the structure of a document at a high level. The 
improved OneNote 2010, the latest version of Microsoft's "idea proces¬ 
sor" offers better Outlook integration and other improvements. 

What's Next 

Missing from the Office 2010 Technical Preview are prerelease versions 
of the Office Web Applications, including web-based Word, Excel, 
PowerPoint, and OneNote. Those will be delivered later in the summer, 
Microsoft says, followed up by true beta versions of the Office 2010 suite 
and other Office applications and servers. Expect major SharePoint 
2010 announcements later in 2009 as well as a version of Microsoft 
Office Mobile for Windows Mobile with added editing functionality. 

Recommendations 

Office 2010 appears to continue the evolution of Office that began 
with Office 2007. If you're already on Office 2007,1 see little reason 
to jump into Office 2010 right away. But if you're not, the Technical 
Preview is the ideal vehicle to test-drive Microsoft's improved office 
productivity wares. ^ 

InstantDoc ID 102421 
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WINDOWS POWER TOOLS 


Minasi 

"So many batteries seem to go from 10 
percent to dead flat in about two minutes." 



Powercfg on Battery Power 

Time to get into the nitty-gritty of this excellent power-management tool 


Y ou might recall from “Powercfg Gets Sleepy" (Instant- 
Doc ID 102240) that Powercfg lets you access helpful 
power-management features that you can't get from 
GUI—but it's fairly complex. One feature that I find 
handy is the ability to reconfigure a power scheme 
with Powercfg, but Fve refrained from writing about 
it because the syntax can be pretty ugly. However, as Fve spoken 
about Powercfg over the past few months, people often ask for more 
about the utility. They correctly point out that if you want to script a 
hands-off Windows setup but want to create custom power settings, 
Powercfg is the only game in town. So, this month, let's use Powercfg 
to configure Windows to inform us when our batteries are low. 

As I showed you in “Powercfg" (InstantDoc ID 48399), 
Powercfg's /x option is great for controlling four settings: when 
to dim the screen, how many minutes of inactivity to wait before 
going to standby and before going to sleep, and when to turn off 
the disk. But there are many other timeout/notification options— 
for example, at what percent of battery strength should Windows 
notify you and what percent constitutes “critical" battery levels. To 
set these options with Powerfcg, you use the -setacvalueindex and 
-setdcvalueindex options. 

Here's an example. By default, Windows warns you of low bat¬ 
tery life when your battery reaches 10 percent, but so many batteries 
seem to go from 10 percent to dead flat in about two minutes. You'd 
like to set that percentage to, say, 20 percent. Generically, the com¬ 
mand looks like 

powercfg -setdcvalueindex <scheme GUID> <sub-GUID 

identifying the family of settings we're about to modify> 
<setting-GUID identifying the particular setting we're 
modifying> <desired value for the setting> 

How about an example? Ready? Here it comes: 

powercfg -setdcvalueindex 381b4222-f694-41f0-9685- 
ff5bb260df2e e73a048d-bf27-4fl2-9731-8b2076e8891f 
8183ba9a-e910-48da-8769-14ae6dcll70a 20 

Nowyou can see why I thought no one would ever want to try to figure 
this out. But after I pick apart this example, others will be easier. In this 
example, 381b4222-f694-41f0-9685-ff5bb260df2e is the GUID that 
instructs Powercfg to make this modification to the Balanced power 
scheme (rather than the High performance or Power saver scheme). 
Recall from “Powercfg Revisited" (InstantDoc ID 102005) that you can 


use the Powercfg -1 command to list all the power schemes on your 
system, as well as their GUIDs. The two GUIDs e73a048d-bf27-4fl2- 
9731-8b2076e8891fand8183ba9a-e910-48da-8769-14ae6dcll70aare 
essentially informing the system that you want to modify a battery set¬ 
ting and that this setting specifies the percentage of remaining battery 
power that should trigger a “low power battery" event. Finally, 20 sets 
the low-battery-power threshold to 20 percent. 

The Microsoft thinking here was apparently to build a hierarchy 
of objects, give them GUIDs so that they're easy for a programmer to 
identify, and let Powercfg control them. So, to assemble one of these 
-setdcvalueindex or -setacvalueindex commands, you need to locate 
the power scheme's GUID (Powercfg -1), the sub GUID that refers to 
the general area of what you want to control (e73a048d-bf27-4fl2- 
9731-8b2076e8891f—the sub-GUID for “battery," in this example), 
the GUID that refers to what, specifically, we're setting (8183ba9a- 
e910-48da-8769-14ae6dcl 170a—the “lowbattery charge" setting, in 
this example), and finally whatever you want to set (20, in this case). 
By the way, the Powercfg documentation claims that you can feed 
the utility numeric values in hex with the Ox prefix, but I've never 
gotten it to work. 

The only missing piece is, of course, where to find the sub-GUID 
and the setting GUID. The easiest place I've seen to get them is by 
using Powercfg -q to dump your current settings. When you do that, 
you'll get a lot of output. But look for lines that refer to whatever 
you're trying to set, such as 

Power Setting GUID: 8183ba9a-e910-48da-8769-14ae6dcll70a 

(Low battery level) 

There's the GUID for the low battery setting. But where is the sub- 
GUID for the battery “group?" Scrolling further up from that line, 
you'll find 

Subgroup GUID: e73a048d-bf27-4fl2-9731-8b2076e8891f (Battery 

Assembling a -setdcvalueindex or -setacvalueindex command 
isn't easy, but sometimes it's your only option. Try this example on 
a laptop, and you'll be ready to put together a Powercfg command 
for any need! ^ 

InstantDoc ID 102354 
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Otey 

"Using the same core hypervisor as the 
ESX Server that's standard in many 
enterprises, ESXi provides enterprise-level 
server consolidation." 



Free Virtualization Platforms 

You won't spend a bundle to save a bundle when you virtualize with these products 


irtualization is an area in IT that provides a lot of bang for 
the buck—all the more so if you implement virtualiza¬ 
tion using one of the many completely free virtualization 
platforms that are available. In this column, Til tell you 
about ten free virtualization products, some of which 
can be used for testing and development while others 
are completely enterprise-ready server consolidation platforms. 

Xen 3.4.0—Xen is a hypervisor-based virtualization product 
that supports x86 and x64 processors. Although Xen is best 
known in the Linux world, Xen 3.0 introduced support for run¬ 
ning Windows virtual machines (VMs). You can get Xen from www 
.xen.org/download. 

O Oracle VM—Not to be left out of the virtualization market, Ora¬ 
cle offers its Oracle VM product, which supports both 32-bit and 
64-bit hosts and can run Windows Server OSs, Windows Vista, 
Windows XP, Red Hat Linux, and Oracle Enterprise Linux as guests. 
You'll find it atwww.oracle.com/technologies/virtualization. 

O VMware Player—Although you might not realize it, VMware 
Player is a full-blown virtualization platform. It's based on the 
same code as VMware Workstation, but it's limited to running 
VMs; it can't be used to create them. There are Windows and Linux 
versions of VMware Player, which you can download from www 
.vmware.com/download/player. 

O Microsoft Virtual Server 2005 R2—Virtual Server 2005 R2 is 
Microsoft's server-oriented virtualization product. It's a hosted 
virtualization solution, which means it needs a host OS, but it's 
still useful for running VMs on older systems. Virtual Server 2005 R2 
runs on the 32-bit and 64-bit versions of Windows Server 2003, Vista, 
and XP. Its Virtual Hard Disks (VHDs) are compatible with Hyper- 
V. You can download Virtual Server 2005 R2 from www.microsoft 
.com/windowsserversystem/virtualserver. 

O VMware Server 2—Like Microsoft's Virtual Server 2005, VMware 
Server is a hosted virtualization product. It's not hypervisor 
based, but unlike Virtual Server 2005, VMware Server runs on 
several hosts, including Windows Server 2000, Windows NT, and 
Linux. You can download VMware Server from www.vmware.com/ 
products/server. 


O Microsoft Virtual PC 2007—Virtual PC 2007 is Microsoft's 
current desktop virtualization solution. It runs on the 32-bit 
and 64-bit versions of Vista andXP. It's a hosted virtualizations 
solution, and its VHDs are compatible with Virtual Server 2005 and 
Hyper-V. A new version of Virtual PC is included in Windows 7. You'll 
find Virtual PC at www.microsoft.com/windows/virtual-pc. 

O VirtualBox 3.0—Sun Microsystems' VirtualBox is a hosted 
virtualization offering. Its host support makes it unique in this 
crowd—VirtualBox runs on Mac OS, Linux, and Solaris in addi¬ 
tion to Windows OSs. VirtualBox supports x86 and x64 hardware. 
Unlike most of the products in this list, VirtualBox supports virtual 
USB controllers. VirtualBox is found atwww.virtualbox.org. 

O Citrix XenServer 5.5—Based on the open source Xen hyper¬ 
visor, XenServer runs directly on the hardware like Hyper-V 
and ESX Server. XenServer requires an x64 processor with 
Intel-VT or AMD-V support. XenServer supports 32-bit and 64-bit 
versions of Windows Server OSs and the enterprise Linux distribu¬ 
tions. Download the free version of XenServer from www.citrix.com/ 
English/ps2/products/feature.asp?contentID=1686939. 

O Microsoft Hyper-V Server 2008—Not to be confused with the 
Hyper-V that ships with Server 2008, Hyper-V Server 2008 is a 
standalone (and free) virtualization product from Microsoft. 
Hyper-V Server 2008 runs directly on the system hardware. It's fully 
capable of enterprise-level server consolidation. It requires an x64 
processor with Intel-VT or AMD-V virtualization support. The upcom¬ 
ing Hyper-V Server 2008 R2 will support Live Migration. You can get 
Hyper-V Server 2008 from www.microsoft.com/hyper-v-server/en/us. 

O VMware ESXi 4.0—Using the same core hypervisor as the 
ESX Server that's standard in many enterprises, ESXi provides 
enterprise-level server consolidation. ESXi can be managed 
using VMware Infrastructure 3 or VMware vSphere, and it fully sup¬ 
ports VMware VMotion. ESXi comes with a stripped-down service 
console, letting it fit into a minuscule 32KB download package. You 
can download ESXi from www.vmware.com/products/esxi. ^ 

InstantDoc ID 102427 
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WHAT WOULD MICROSOFT SUPPORT DO? 



Morales 

"Use this brand-new free tool to save you 
much time and hassle the next time you run 
into a high-CPU problem." 


Got High-CPU-Usage Problems? ProcDump'Em! 

ProcDump, a new Windows Sysinternals tool, saves you time in collecting data 
about CPU-hogging processes 


O n the Microsoft support team, one of the most com¬ 
mon customer problems we encounter is systems 
experiencing high CPU usage. Solving this type of 
problem is often challenging because you must first 
determine which process or activity is responsible 
for consuming so much CPU time, then determine 
the best approach for capturing the process's activity during the 
problem period so that it can be analyzed for root cause. Fortunately, 
Microsoft provides tools available to assist with high-CPU issues. Ill 
give a brief rundown of these tools, then introduce you to a brand- 
new free tool called ProcDump that will save you much time and 
hassle the next time you run into a high-CPU problem. 

High-CPU-Usage Troubleshooting Tools 

Until now, we've relied mainly upon these tools to help troubleshoot 
high-CPU problems on Windows systems: 

Adplus.vbs. This VBScript tool comes with the Debugging Tools 
for Windows (www.microsoft.com/whdc/devtools/debugging/ 
defaultmspx) and is a great resource for administrators to use for 
dumping out a process during a high-CPU occurrence. However, 
one of the drawbacks of Adplus is that a person usually has to be at 
the console to physically issue the Adplus command to dump out 
the process when the CPU spike occurs. 

Xperf. This is a super tool for collecting process activity during a 
high-CPU spike, and it doesn't require anyone to be physically at the 
console to monitor for high -CPU occurrences. (You can download 
Xperf at msdn.microsoft.com/en-us/performance/default.aspx.) 
Although Xperf isn't fully supported on Windows Server 2003, our 
experience with collecting stackwalk data (the critical piece of data 
for analyzing high-CPU problems) on Windows 2003 has been very 
positive, as long as you have the hotfix download available at support 
.microsoft.com/kb/938486 or a later-dated kernel installed. 

Something to consider with XPERF is that the tool collects data 
about all processes and activity on the system, then lets you narrow 
your focus postmortem, which means there's no way to specify, say, 
"I just want stackwalking for XYZ.EXE"; instead you have to turn it 
on for the entire system. So collecting and logging all of a system's 
activity for a problem that may occur once in 24 hours could be too 
much overhead depending on the typical workload of the systems 
you're monitoring. (For more information about Xperf, see "Exam¬ 
ining Xperf/' July 2009, InstantDoc ID 102054 and "Under the Covers 


with Xperf/' August 2009, InstantDoc ID 102263.) 

Process Explorer (procexp.exe). I highly recommend that you 
use Process Explorer, which you can download at technetmicrosoft 
.com/en-us/sysinternals/bb896653.aspx, to at least look at the 
thread that's spiking the CPU to determine what components are 
involved, so that you can update them before calling tech support. 
If you need to investigate the problem further, though, you'll need a 
tool that actually dumps out the process during the high-CPU spike; 
Process Explorer can't do this. (For more information about Adplus 
and Process Explorer, see "Say 'Whoa!' to Runaway Processes," 
November 2008, InstantDoc ID 100212.) But ProcDump can. 

Introducing ProcDump 

ProcDump (procdump.exe) is a new Windows Sysinternals tool from 
Mark Russinovich, which you can download at technetmicrosoft 
.com/en-us/sysinternals/dd996900.aspx. Procdump.exe was cre¬ 
ated after an escalation engineer in my group asked Mark if he 
would consider adding functionality to Process Explorer to enable 
capturing a dump file of a process to help troubleshoot those pesky 
high-CPU problems. After some thought, it was determined that the 
best approach was to write a new tool, and ProcDump was born. 

ProcDump lets you configure how much CPU a process should 
consume and for how long a time period before ProcDump creates 
a dump of the process. So you don't have to be at the console ready 
to issue commands the next time the process spikes the CPU. And 
you get to determine at what threshold the process can consume the 
CPU before ProcDump captures a dump of the spiking process. 

So, for example, you notice that wmiprvse.exe (the WMI Pro¬ 
vider Host process) spikes the CPU to 90 percent at random times 
throughout the day, and you'd like to capture a few dumps for 
analysis. The following command will dump out the process three 
times when the CPU forwmiprvse.exe is at or exceeds 90 percent for 
three seconds and store the dumps in the c:\procdumps directory 
that you've already created: 

c:\procdump.exe -c 80 -s 3 -n 3 wmiprvse.exe c:\procdumps 

The -c option is the CPU threshold parameter that you can configure, 
-s tells ProcDump how long the service needs to consume the CPU 
at the threshold you configured before a dump is generated. The -n 
option tells ProcDump how many dumps to create, and wmiprvse 
.exe is the process name you're asking ProcDump to monitor. 
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Smarter technology for a Smarter Planet: 

Service in the age oi smart assets. 

Smart assets are making it possible to spread intelligence into everything from power lines to railroad lines to 
assembly lines. The challenge is: how do you choreograph the physical and the digital to provide the quality 
services your customers expect and the flexibility your business needs? IBM’s approach to service management 
can help you extend visibility, control and automation through all of your company’s services so you can easily 
modify existing services or quickly add new ones, laying the groundwork for a more dynamic infrastructure. 
We’re helping companies all over the world—20 of the 20 top telcos and 7 of the 10 largest automotive 
manufacturers—reach beyond the datacenter to deliver flexible services in a smarter way. 


A smarter business needs smarter software, systems and services. 
Let’s build a smarter planet, ibm.com/svcmgmt 













■WHAT WOULD MICROSOFT SUPPORT DO? 


wf! Dump Cprocdumps\Wm iPrv5E_062809_Q75819PM,dmp - WinDbg:6.11.0002.4Q8 X86 
Rle Edit View Debug Window Help 

|£| )Ti a> m in | ft om? |4|0®cisn®cannEi!(T]!S!|A A |'i['“ 

Command 

Microsoft (R) Windows Debugger Version 6.11.0002.400 X86 
Copyright (c) Microsoft Corporation. All rights reserved. 

loading Dump File [C:\procdumps\WmiPrvSE_062809_075819PM.dmp] 

User Mini Dump File: Only registers, stack and portions of memory are available 
Comment: '*** Process exceeded 5% CPU for 3 seconds. Thread consuming CPU: 4500 (0x1194) 

Figure 1: ProcDump output showing high-CPU-consuming thread 



So, for the previous command line, the 
WMI Provider Host service will be dumped 
out each time the process exceeds 80 per¬ 
cent CPU for three seconds or more and 
the dump files stored in the c:\procdumps 
directory. The name of the dump file will 
be in the format PROCESSNAME_DATE_ 
TIME.dmp; the included timestamp makes 
it easy to identify files captured over a period 
of several days. The other great feature of 
ProcDump is that the thread that consumed 
the highest amount of CPU is baked into 
the dump file, so that when the dump file is 
opened in the debugger, you get a message 
indicating which thread consumed the CPU, 
as Figure 1 shows. 

Now there's no guesswork as to which 


thread was doing the work. From the screen 
in Figure 1, you can then issue the ~ (tilde) 
command in the debugger to find out what 
thread number corresponds to 0x1194. Fig¬ 
ure 2 shows the command line and its 
output. As you can see, thread 2 (which 
includes 1194 in the line) is the thread that 
corresponds to 0x1194. 

This was just an example that I created to 
demonstrate the tool, but now we can change 
the focus to thread 2 to find out what was 
going on at the time the CPU was consumed. 
At the command prompt, run the following 
command to change the context to thread 2: 

0:000> ~2s 


required the enumeration of 
all directories on my system 
(select * from win32_Short- 
cutfile). ProcDump will also 
dump a process if any of the 
process's windows are hung 
(-h option); again, you don't 
need to be physically at the 
console to initiate this task. 

Launching a Process 
Under the Debugger 

An especially useful ProcDump option is 
the ability to launch a process directly under 
the debugger using the -x option. The -x 
option works with the Image File Execu¬ 
tion Options registry entry. The command 
example in Figure 4, which specifies -x with 
the lsass.exe process, will take three dumps 
oflsass.exe when the process spikes the CPU 
to 90 percent. 

Now the next time lsass.exe is started, 
ProcDump will monitor the process with 
the configured parameters. Why is this 
so cool? Because there are processes that 
could spike immediately on startup and 
freeze your whole system, and you can't log 
on to the console until the CPU has settled 
down—but by that time, there's nothing to 
dump out because the high CPU has gone 
down. Using ProcDump with the -x option 
lets you capture information about these 
spikes when they happen. 

More Help for High-CPU Issues 

I predict that ProcDump will be the tool of 
choice for most high-CPU issues and will 
change the way we attack such problems 
and how fast they're resolved. ProcDump 
was built as a grassroots effort initiated by 
Microsoft's Global Escalation Services team. 
A special thanks to Ming Chen, the senior 
escalation engineer who first approached 
Mark and got the ball rolling; Jeff Daily, a 
principal escalation engineer, for his lead¬ 
ership and guidance; and of course, a huge 
thanks to Mark Russinovich, a Microsoft 
technical fellow, for taking our input so 
frequently and making changes so fast. ^ 

InstantDoc ID 102479 

MICHAEL MORALES (morales@microsoft 

.com) is a senior escalation engineer for Micro¬ 
soft's Global Escalation Services team. He spe¬ 
cializes in advanced Windows debugging and 
performance-related issues. For information 
about Windows debugging, visit blogs.msdn 
.com/ntdebugging. 


The command's output in Figure 3 
shows that the wmiprvse 
.exe process enumerated 
through various direc¬ 
tories (notice the calls 
to CImplement_Logical 
File::EnumDirsNT) at the 
time this test was done, 
which makes sense since 
the WMI query I issued 


Figure 3: Wmiprvse.exe process thread 2 details 


eax=013bd900 ebx=00004021 ecx=00000004 edx=00000044 esi=76fb49f4 edi=00100001 
eip=76fb5cb4 esp=013bd548 ebp=013bd840 iopl=0 nv up ei pi nz na po nc 

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efi1=00000202 

ntdl1!KiFastSystemCal1 Ret: 

76fb5cb4 c3 ret 

0:002> k 
ChildEBP RetAddr 

013bd544 76fb4a00 ntdl1!KiFastSystemCal 1 Ret 
013bd548 75810c0a ntdll!ZwOpenFile+0xc 
013bd840 75810def kernel 32!FindFirstFileExW+0xlc9 
013bd860 60c44cbb kernel 32!FindFirstFileW+0xl6 

013bdd5c 60c4585e cimwin32!CImplement_Logical File::EnumDirsNT+0x5b2 
013be254 60c4585e cimwin32!CImplement_Logical File::EnumDirsNT+0xll51 
013be74c 60c4585e cimwin32!CImplement_Logical File::EnumDirsNT+0xll51 
013bec44 60c7b7e9 cimwin32!Clmplement_LogicalFi1e::EnumDirsNT+0xll51 
013beec8 666ff3dd cimwin32!CShortcutFile::Enumeratelnstances+0xl57 
013beedc 666ff82f framedynos!Provider::CreateInstanceEnum+0x21 


Figure 4: Using ProcDump with the -x option 


HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.EXE 
Debugger = c:\procdump\procdump.exe -c 90 -n 3 -ma -x 


Figure 2: Output of ~ command 


0 : 000 > ~ 

0 Id: 1260.e74 Suspend: 0 Teb 

1 Id: 

2 Id: 

3 Id: 

4 Id: 

5 Id: 

6 Id: 

7 Id: 


1260.6d0 Suspend: 0 Teb: 
1260.1194 Suspend: 0 Teb 
1260.Ilf8 Suspend: 0 Teb 
1260.1780 Suspend: 0 Teb 
1260.13d4 Suspend: 0 Teb 
1260.1544 Suspend: 0 Teb 
1260.1164 Suspend: 0 Teb 


7ffdf000 Unfrozen 
7ffde000 Unfrozen 
7ffdd000 Unfrozen 
7ffdc000 Unfrozen 
7ffdb000 Unfrozen 
7ffda000 Unfrozen 
7ffd9000 Unfrozen 
7ffd7000 Unfrozen 
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Smarter technology for a Smarter Planet: 

Can the boundaries oi a business be 
defined by its people instead of its walls? 

On a smaller, flatter, smarter planet, we increasingly find ourselves working with people far outside the walls 
of the enterprise: partners, suppliers, customers and remote employees. IBM is incorporating new tools, like 
social software, wikis and presence awareness, throughout our collaboration portfolio—as well as new ways 
of accessing these tools through the cloud. Cloud-based solutions like LotusLive™ let your people work with 
whomever they want, regardless of what side of the firewall they’re on. All backed by the legendary security 
you expect from IBM. Now you can extend your collaboration infrastructure without the cost and complexity 
of additional infrastructure. So you don’t have to tear down your walls to reach beyond them. 

A smarter business needs smarter software, systems and services. 

Let’s build a smarter planet, ibm.com/collaborate 










SOLUTIONS FROM YOUR PEERS ■ 


■ PDFs 

■ SMS 

■ Redirecting Folders 


READER TO READER 


Delete Junk Folders Created by SMS 

As the result of a few wrong switches, 
Microsoft Systems Management Server 
(SMS) created but didn't delete some fold¬ 
ers on many computers at my company. For 
example, the folders highlighted in Figure 
1, were some of the folders added to one 
machine. Because the folders created by 
SMS didn't have Full Control Administrators 
permission applied, deleting those folders 
involved: 

1. Logging on to each machine locally 
or remotely. 

2. Applying Full Control Administrators 
permission to each folder. Without this 
permission, the folders can't be deleted by 
administrators. 

3. Deleting the folders. 

Manually performing these steps 
would've been time-consuming, so I 
wrote a PowerShell script, deljunkfolders 
.psl, to automatically delete the fold¬ 
ers and their contents. All the folders 
contained a subfolder named update, like 
that in Figure 2. So, deljunkfolders.psl 
looks for subfolders named update in top- 
level directories. 

After finding all the top-level folders 
that contain an update subfolder, deljunk¬ 
folders.psl uses the Get-Acl cmdlet to copy 


■ Disk Defragmenter 

■ IE 7.0 


permissions from a folder where the admin¬ 
istrators have Full Control Administrators 
permission, then uses the Set-Acl cmdlet 
to apply that permission to the folder that 
needs to be deleted. Finally, the script 
either displays the folders to be deleted or 
deletes them, depending on the command 
you use to launch the script. 

If you want to preview the folders that 
will be deleted and deljunkfolders.psl re¬ 
sides on the D drive, you'd use a command 
such as 

Powershell.exe D:\deljunkfolders.psl 
Pclist.txt 

(Although the command wraps here, you'd 
enter it all on one line.) Pclist.txt is an input 
file that contains the names of the comput¬ 
ers you want to check. When you create 
this text file, the computer names need to 
follow format 

PC001 

Pc002 

Pc003 

If you're happy with the results in the pre¬ 
view, you can perform the actual deletion 
using a command such as 

Powershell.exe D:\deljunkfolders.psl 
Pclist.txt 1 


TOOL TIME 

windowsitpro.com f\ 


Export PDF Text with Pdftotext 

If you occasionally need to export text 
from PDF files, pdftotext might be a 
handy addition to your personal tool¬ 
box. Part of Foo Labs'free Xpdf package 
(www.foolabs.com/xpdf/download 
.html), pdftotext is a command-line tool 
that automates the export process. 

Using pdftotext is straightforward. If 
you want to export the text from a file 
named vmware.pdf, you can use pdfto¬ 
text like this 

pdftotext vmware.pdf 

This command automatically creates a 
new file named vmware.txt in the same 
folder as vmware.pdf. Where possible, 
pdftotext will remove embedded 
hyphenation and line breaks. If you also 
want to remove physical page breaks 
embedded in the PDF file, you can add 
the -nopgbrk option: 

pdftotext vmware.pdf -nopgbrk 

To send the text output to the screen 
instead of a file, you include the - param¬ 
eter at the end of the command: 

pdftotext vmware.pdf - 

You can use multiple parameters to¬ 
gether as well: 

pdftotext vmware.pdf -nopgbrk - 

Pdftotext works only with actual text, 
so you won't be able to export images 
or scanned text that hasn't had optical 
character recognition (OCR) performed 
on it. However, it works extremely well in 
its specific niche. 

The Xpdf package contains several 
other tools that can be useful for manipu¬ 
lating PDF files. Pdftoppm and pdftops 
convert PDF files to the Portable Pixel 
Map (PPM) or PostScript format, respec¬ 
tively. Pdfimages extracts all images from 
a PDF file, pdfinfo returns general PDF 
metadata, and pdffonts diagnoses font- 
related problems with PDF files. If you 
work with PDF files and like command¬ 
line tools, xpdf is well worth checking out. 
—Alex K. Angelopoulos, IT consultant 

InstantDoc ID 102437 
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O Documents and Settings 
Figure 1: Example of folders created but not deleted by SMS 
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Smarter technology for a Smarter Planet: 

How to manage thousands 
of things you can’t touch. 

Today, many companies are finding out the hard way that virtual image sprawl can be just as complicated as 
the physical server sprawl virtualization was meant to solve. IBM can help you manage, simplify and even 
automate your virtual environment with a broad range of solutions designed to give you visibility and control 
over all of your virtual resources—servers, storage, applications, etc. So you can provision and configure 
resources in seconds instead of days, driving up efficiencies and setting the stage for new delivery models 
like cloud computing. Our open approach to virtualization has helped customers reduce operating and capital 
costs by up to 30% and is an essential building block of a smarter, more dynamic infrastructure. 

A smarter business needs smarter software, systems and services. 

Let’s build a smarter planet, ibm.com/virtualize 
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■ READER TO READER 


Name 

Size 1 

1 Type 

OSP2GDR | 


File Folder 

■ ~}5P2QFE 


File Folder 

3 update 


File Folder 

lispmsg.dll 

14 KB 

Application Extension 

■ijp spuninst.exe 

209 KB 

Application 


Figure 2: Looking for an update subfolder in top-level folders 
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Shapiro 


To avoid a lot 
of calls from 
users, it's 
helpful to let 
them know 
how to work 
offline once 
the transition 
to the net¬ 
work-based 
Favorites 

folders is complete. 

You can download the code in Listing 
1 by going to the Windows IT Pro website 
(www.windowsitpro.com), entering 102425 
in the InstantDoc ID box, clicking Go, then 
clicking the Download the Code Here but¬ 
ton. Note that adding the code in Listing 1 
to the logon script is only one of five steps 
in the registry edit method. To learn about 
the other steps, see Apostolos's article 
"Redirect More Folders." 


The last argument 
(1) tells the script to 
delete the folders. 

Note that if a com¬ 
puter is unavailable, 
the script returns a 
message stating that 
the ping failed for 
that computer. 

You can down¬ 
load deljunkfolders 
.psl by going to the 
Windows IT Pro website (www.windowsit 
pro.com), entering 102279 in the Instant- 
Doc ID box, clicking Go, then clicking the 
Download the Code Here button. Using this 
script as a template, you can create your 
own solution to delete folders that SMS 
created but didn't delete. I used PowerShell 
1.0 to create this script, which I tested on 
Windows XP. 

—James Lim, systems manager, 
Distributed Systems and Services, 
Neptune Orient Lines 

InstantDoc ID 102279 

Two Tips When Redirecting Folders 
via the Registry 

I read with interest Apostolos Fotakelis's 
article on howto redirect Windows system 
folders for which Group Policy doesn't 
provide native redirection ("Redirect 
More Folders,"January 2009, InstantDoc 
ID 99798). In my environment, I had used 
Group Policy to redirect the My Documents 
folder to the network, so I was eager to 
try Apostolos's registry edit technique to 
redirect other Windows system folders. 

After experimenting with redirecting the 
Favorites folder, I wanted to pass on a 
couple of useful tips not covered in the 
original article. 

Tipi. One helpful feature that Group 
Policy redirection provides is the abil¬ 
ity to automatically move the Windows 


system folders'contents to 
the network. The registry edit 
method doesn't automati¬ 
cally do this. So, to move the 
Favorites folders'contents to 
the network, I adapted the code 
that Apostolos added to the 
logon script. Specifically, I added 
the lines highlighted by callout 
A in Listing 1. Now when the 
logon script executes, the exist¬ 
ing Favorites folders are copied 
from users'computers to the specified 
server. Afterward, they're removed from the 
local drive. 

After all the Favorites folders have been 
copied onto the server, you can remove the 
code in Listing 1 from the logon script. Ex¬ 
isting users will be set, and new users won't 
need it because they'll use the network- 
based Favorites folders from the start. 

Tip 2. If the server containing the 
Favorites folders is unavailable or if users 
are working offline (e.g., on laptops discon¬ 
nected from the network), users won't have 
access to their Favorites folders. Although 
Group Policy automatically makes redirect¬ 
ed folders available offline when the server 
is unavailable, this doesn't occur if you use 
the registry edit method to redirect folders. 
Instead, users will need to right-click the 
Favorites folder on the network drive, and 
select Make Available Offline (Windows XP) 
or Always Available Offline (Windows Vista). 


—Jonathan Shapiro, senior network administrator, 
Birdsall Services Group 

InstantDoc ID 102425 

Schedule XP's Disk Defragmenter 
with a Logon Script 

Windows XP's built-in hard disk defrag¬ 
menting software, Disk Defragmenter, 
doesn't have a scheduling feature. Some 
commercial disk defragmentation ap¬ 
plications have scheduling capabilities, 
but they're costly. I did some research and 
found that you can schedule XP's Disk 
Defragmenter with the Task Scheduler. 

I work in an enterprise environment 
with many workstations, so I decided to 
write a logon script to automate the sched¬ 
uling process. The ScheduleDefrag 
.cmd script uses the Schtasks utility (the 
command-line interface to Task Scheduler) 
to create a scheduled task named Weekly 
Defrag. The Weekly Defrag task uses de- 


Listing 1: Revised Code to Add to the Logon Script 


Net Use X: "RegFilePath" 
reg.exe import X:\RegFile 

: Replace servername\users with the path to your server share. 

If Not Exist \\servername\users\%USERNAME%\Favorites xcopy 
"%USERPROFILE%\Favorites" 

"\\servername\users\%USERNAME%\Favorites" /E /C /I /Y 

:: Replace servername\users with the path to your server share or remove 
:: the line if you want to keep a local copy of the Favorites folder. 

If Exist \\servername\users\%USERNAME%\Favorites rd /S /Q 
"%USERPROFILE%\Favorites" 

Net Use X: /d /y 
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Smarter technology for a Smarter Planet: 

Can an entire business 
be given a nervous system? 

On a smarter planet, the datacenter is not simply the heart of IT—it’s also the central nervous system 
of the entire business. IBM is helping companies view their extended infrastructure not as a collection 
of disconnected pieces, but as an integrated system that connects the datacenter to all of the digital 
and physical assets of the business, creating a more dynamic infrastructure. From railway systems 
that can predict and schedule their own maintenance to assembly lines that understand how to adjust 
to changing needs to power grids that match supply and demand, we’re already helping customers 
improve service, increase flexibility and reduce operating costs by as much as 50%. 


A smarter business needs smarter software, systems and services. 
Let’s build a smarter planet, ibm.com/infrastructure 
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READER TO READER ■ 


frag.exe (the command¬ 
line interface to the Disk 
Defragmenter) to defrag the 
hard drive. 

ScheduleDefrag.cmd 
starts by checking to see 
whether the Weekly Defrag 
task has already been sched¬ 
uled with the code 

Schtasks /Query /FO LIST | 

Find /c "Weekly Defrag" 

This code uses the Schtasks command 
with the /Query parameter and its /FO 
LIST switch to retrieve all the tasks already 
scheduled on the system.The results are 
piped (|) to the Find command, which 
searches for the string Weekly Defrag. 

If the Weekly Defrag task doesn't exist, 
the script uses the following Schtask com¬ 
mand to create it: 

Schtasks /Create 
/RU "SYSTEM" 

/SC WEEKLY 
/D FRI 

/TN "Weekly Defrag" 

/TR "%systemroot%\system32\defrag.exe 
%homedrive%" 

/ST 12:00:00 
/SD 10/01/2009 

The /Create parameter tells Schtasks to 
create a scheduled task. I'll go through the 
switches I used with that parameter so you 
can modify the script to meet your defrag¬ 
mentation scheduling needs: 

• The /RU switch identifies the account 
with which to run the task. In this case, 
the task will run under the System ac¬ 
count. The other system account you can 
use is "NT AUTHORITYXSYSTEM". 

• The /SC switch indicates how often to 
run the task. In this case, the frequency is 
weekly, but there are other options, such 
as daily and monthly. 

• The /D switch denotes the day of the 
week to run the task. 

• The /TN switch provides the name of the 
task being scheduled. 

• The /TR switch specifies the task to run. 

In this case, Schtasks will run defrag.exe 
on %homedrive%.The %homedrive% 
environmental variable specifies a com¬ 
puter's local drive, which is typically the C 
drive. I try to use environmental variables 



Chris 

Betlach 


as much as possible when 
scripting. If you hard-code 
the information, you must 
modify the script each 
time it changes. 

• The/ST switch indi¬ 
cates the task's start 

_ time. You must use a 

24-hour clock and 
follow the format hh:mm, where hh is 
the hour and mm is the minute. 

• The /SD switch provides the task's start 
date. You must follow the format mm/ 
dd/yyyy, where mm is the month, dd is 
the day, and yyyy is the year. 

There are many other switches you can use 
with the Schtasks /Create command. For a 
list of them, you can type 

Schtasks /Create /? 

on the command line or go to MSDN's 
Schtasks.exe web page at msdn.microsoft 
.com/en-us/library/bb736357(VS.85).aspx. 

You can download ScheduleDefrag.cmd 
by going to the Windows IT Pro website 
(www.windowsitpro.com), entering 102428 
in the InstantDoc ID box, clicking Go, then 
clicking the Download the Code Here but¬ 
ton. To customize the script to meet your 
scheduling needs, right-click the file, select 
Edit, make the necessary changes to the 
Schtasks /Create command, then save the 
file. 

You can run ScheduleDefrag.cmd as a 
logon script if you want to schedule the 
Disk Defragmenter on many machines, or 
you can run it locally if you want to sched¬ 
ule the Disk Defragmenter on only a few 
machines. To run it as a logon script, create 
or open an existing Group Policy Object 
(GPO), navigate to User Settings\Windows 
Settings\Scripts\Logon, and add the code 
in ScheduleDefrag.cmd to the Logon 
scripts dialog box. To run ScheduleDefrag 
.cmd locally, place it on the machine and 


double-click it or run it from the command 
line. 

—Chris Betlach, IT manager, FlaldemanHomme 

InstantDoc ID 102428 

Another Way to Add URLs to IE 7.0's 
Favorites Tree 

In "Easily Add URLs to Internet Explorer 7.0's 
Favorites Tree" (January 2009, InstantDoc ID 
100743), I provided an alternative to using 
the Add to Favorites feature to add URLs to 
a large Favorites tree in Microsoft Internet 
Explorer (IE) 7.0.1 recently found another 
undocumented way to do this: 

1. In IE 7.0's address bar, click the URL 
icon that's immediately to the left of the 
URL. 

2. With the mouse button still held 
down, press FI 0 to bring up IE 7.0's menu 
bar, which Figure 3 shows. (Pressing FI 0 
seems to be an undocumented way to 
bring up the menu bar.) Drag the icon on 
top of the word Favorites in the menu bar. 
The URL icon will change into a circle with a 
line through it (i.e., the universal symbol for 
"no"). 

3. With the mouse button still de¬ 
pressed, wait a second or two. The Favorites 
menu will drop down and you can drag the 
URL icon to the folder of your choice. 

Note that this new method works for IE 8.0. 
You just need to press Alt+C instead of FI 0 
in step 2. 

Just for the record, I don't sit around all 
day trying to cook this stuff up. I usually 
make some kind 
of keying mistake, 
seethe result,then 
backtrack to figure 
out what I just did 
that worked. ^ 

—Bret Bennett, 

principal consultant, 

BRET A. BENNETT 
InstantDoc ID 102440 
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Figure 3: Bringing up IE 7.0's menu bar 
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ASK THE EXPERTS ■ 


■ Windows Server 2008 R2 ■ Outlook 

■ Hyper-V ■ IIS 


ANSWERS TO YOUR QUESTIONS 



Q: How do I add and remove roles 
and features in Windows Server 
2008 R2 from the command line? 

A! ServerManagerCmd.exe, which was 
used for this task in Server 2008, is still 
available and you can use it, but the com¬ 
mand has been deprecated and may not 
be in future versions. Instead, you should 
use the provided servermanager module 
cmdlets for role and feature management. 

Depending on your PowerShell 
instance, you may need to import the 
module using the command 

Import-Module servermanager 

To list the roles and features that are avail¬ 
able and installed, use the Get-Windows- 
Features cmdlet with no parameters. This 
cmdlet will match the output from the 
command "servermanagercmd -query". 

You can also pass a specific role or feature 
to see if it's installed. For example, to check 
if Hyper-V is installed, use 

Get-WindowsFeature Flyper-V 

If there's an X in the box next to Hyper-V, 
you know it's installed. 


To install or remove roles or fea¬ 
tures, use the Add-WindowsFeature and 
Remove-WindowsFeature cmdlets. Don't 
let the names fool you; Even though it says 
feature, you can still add and remove roles. 
Note that your PowerShell instance must 
be running with administrator credentials 
for role and feature modification. 

—John Savill 
InstantDoc ID 102366 

Q: Should I back up at the Hyper-V 
host level or within my guest OSs? 

Al The answer to this question depends 
on the guest OS, the type of storage you're 
using and the availability of VSS writ¬ 
ers for the workloads within your virtual 
machines (VMs). 

If you're running guest OSs that 
support VSS, use NTFS on basic disks, 
exclusively use Virtual Hard Disks (VHDs) 
for storage, and have integration services 
installed, you can probably back up safely 
at the Hyper-V host level. You can use a 
Hyper-V VSS writer-aware backup applica¬ 
tion that will notify your VMs to prepare 
for a snapshot, ensuring the integrity of 
the backup. Remember to back up all 
volumes that have any data relating to 
the VM, including configuration locations, 
VHDs, and snapshots. 

You should back up from within the 
guest OSs if you're running guest OS that 
uses pass through storage, maps to iSCSI 
storage directly through the guest iSCSI 
initiator, doesn't use NTFS, uses dynamic 
disks, doesn't have integration services 
installed, or doesn't support the backup 
integration service. 

—John Savill 

InstantDoc ID 102346 
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Q: Should I install System 
Center Virtual Machine 
Manager (VMM) on a 
physical box, or can I install it 
on a virtual machine (VM)? 

Al VMM is the preferred manage- 
ment platform for your virtual 
environment and the question often 
comes up if VMM should be installed 
on its own physical box, or if can it 
be a VM. VMM is supported in both 
physical and virtual environments. 
The only condition is that if VMM 
is virtualized, you won't be able to 
migrate it to another virtual host, 
because VMM manages migrations. 

—John Savill 

InstantDoc ID 102342 


Q: How do I stop the Location 
Information Pop Up? 

At On a new installation of Windows 
Vista with a new installation of Office 
Outlook 2003 or Office Outlook 2007 has 
consistently returned an annoying pop¬ 
up window for me. By default, Windows 
Vista installs the Telephony service for my 
laptop, which has a built-in modem. When 
I first try to add a new phone number to 
an Outlook contact, Windows jumps in to 
tell me that I haven't configured my area 
code for the modem. Any attempt I make 
to cancel this dialog box returns a Confirm 
Cancel window. 

It doesn't matter whether I select Yes 
or No in the Confirm Cancel window, I 
am immediately returned to the Location 
Information box demanding a source area 
code. It’s Windows, not Outlook, that’s 
requesting this information. I see two op¬ 
tions for halting this frustrating loop. The 
easiest is to enter a home area code in the 
appropriate field in the Location Informa¬ 
tion box and click OK. This covers up the 
symptoms without solving the underlying 
problem. If you don't use the modem at 
all, you can resolve this pop-up request 
by stopping the Telephony service and 


www.windowsitpro.com 


We're in IT with You 


Windows IT Pro 


SEPTEMBER 2009 21 










■ ASK THE EXPERTS 


Table 1: URLscan and Request Filtering Comparison | 

Request Filtering Feature 

| URLscan equivalent setting 

| IIS 7.0 Error (Status Code) ] 

Filter Based on URL Sequences 

DenyUrlSequences 

Request Filtering: URL Sequence denied (404.5) 

Filter by Verbs 

UseAllowVerbs, AllowVerbs, and DenyVerbs 

Request Filtering: Verb denied (404.6) 

Filter Based on File Extensions 

AllowExtensions and DenyExtensions 

Request Filtering: File extension denied (404.7) 

Filter Out Hidden Segments 

Not Available 

Request Filtering: Denied by hidden segment (404.8) 

Filter Double-encoded Requests 

VerifyNormalization 

Request Filtering: Denied because URL doubled escaping 
(404.11) 

Filter High Bit Characters 

AllowHighBitCharacters 

Request Filtering: Denied because of high bit characters 
(404.12) 

Filter Based on Request Limits 

maxAllowedContentLength 

Request Filtering: Denied because content length too 
large (404.13) 


maxURL 

Request Filtering: Denied because URL too long (404.14) 

maxQueryString 

Request Filtering: Denied because query string too long 
(404.15) 


setting the value to Disabled. This is easily 
done if User Account Control has been 
disabled first. Otherwise, to stop the Tele¬ 
phony service, you need to set the Startup 
Type for the Telephony service to Disabled, 
and then reboot the workstation. Windows 
will no longer need a home area code. 

—William Lefkovics 
InstantDoc ID 102161 

Q: Do I need to install the URLscan 
tool on my Microsoft IIS 7.0 Web 
server to niter malicious data from 
incoming HTTP requests? 

Al No, in IIS 7.0 there's no need to install 
the URLscan tool. IIS 7.0 includes URLscan 
functionality out of the box. This service 
is equivalent to the URLscan tool present 
in IIS 7.0 and 6.0 is referred to as Request 
Filtering. 

URLscan checks the URLs of all incoming 
web server requests. Attacks against web 
servers often consist of sending a URL to the 
server that contains a string that could be in¬ 
terpreted by the web server as an instruction 
to execute a malicious command. If a URL 
contains suspicious character combinations, 
strings, or verbs, or if it exceeds a certain 
length, URLscan automatically blocks the 
associated web request. 

Although IIS 6.0 already provided 
built-in URLscan-like functionality, many 
administrators still added the URLscan tool 
to their IIS 6.0 web servers because URLs¬ 
can supported additional features, such 
as the ability to remove server identity 
headers and support for a single unified 

22 SEPTEMBER 2009 Windows IT Pro 


text-based configuration file (urlscan.ini). 
IIS 7.0 includes these URLscan features out 
of the box, so it's no longer necessary to 
install URLscan. 

IIS 7.0 Request Filtering supports 
the filtering of hidden namespaces, 
Request Filtering-specific error and status 
codes, and the definition of website- and 
URL-specific Request Filtering settings. 
Hidden namespaces define critical web 
server content that can't be requested in 
a URL, even if the content is present on 
the server. For example, IIS 7 defines the 
the Web.config configuration file and the 
\App_Data and \Bin folders as hidden 
namespaces by default. Request Filtering- 
specific error and status codes allow web 
administrators to quickly identify why IIS's 
Request Filtering logic rejects certain web 
requests. Finally, in IIS 7.0 administrators 
can define a different Request Filtering 
behavior for each individual URL and web 
site. In IIS 6.0, the settings defined for 
URLscan are applied to all incoming web 
server requests, independent of the target 
URL or site. 

Table 1 compares URLscan and Re¬ 
quest Filtering functionality and shows the 
Request Filtering-specific error and status 
codes IIS 7.0 logs when it rejects a request 
based on a Request Filtering rule. 

Unlike the other IIS 7.0 security fea¬ 
tures, you can't configure Request Filtering 
from the IIS Manager interface, you must 
configure it from the IIS 7.0 configuration 
files. To set Request Filtering rules for all 
websites hosted on your IIS 7.0 server, 
use the ApplicationHost.config file. To set 
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website-specific Request Filtering rules, 
use the web.config file. The Microsoft 
article "How to Use Request Filtering," 
tinyurl.com/6z5vos, gives more details for 
configuring Request Filtering. 

—Jan De Clercq 

InstantDoc ID 102325 

Q: Why should I disable time 
synchronization services for a 
PDC Flexible Single-Master 
Operation (FSMO) virtual 
machine (VM)? 

At Virtualization is becoming more 
widespread and virtual environments offer 
a large number of services to improve 
the consistency and performance of the 
infrastructure. There are, however, certain 
instances where you should disable some 
services. 

The PDC FSMO acts as the time source 
for the entire domain and should sync its 
time from an external Simple Network 
Time Protocol (SNTP) time source. You 
don't want the virtual server hosting the 
PDC FSMO to use its own local time to 
overwrite the time that PDC FSMO gets 
from the external time source, so you 
need to disable any time synchronization 
services in the virtual environment. 

In Hyper-V, you disable the services 
via settings for the VM. Select Integration 
Services from the Management section. 
Uncheck the "Time synchronization" op¬ 
tion and click OK. ^ 

—John Savill 
InstantDoc ID 102343 
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COVER STORY ■ 



I t's been little more than a year since 
former Microsoft executive Paul Maritz 
replaced Diane Greene as the President 
and CEO of VMware, but Maritz has 
moved quickly to shake things up at 
the company. He bolstered VMware's 
formerly anemic partner efforts (“VMworld 2008 
Recap," www.windowsitpro.com, InstantDoc ID 
100388) and streamlined its management struc¬ 
ture. A steady procession of former Microsoft col¬ 
leagues have joined Maritz at VMware, including 
Mark Lucovsky (who was part of the original Win¬ 
dows NT engineering team), COO Tod Nielsen 
(former vice president of Microsoft's platform 
group), and EVP and Chief Development Officer 
Richard McAniff (former VP of Microsoft Office). 

Maritz also helped formulate a more coherent 
vision for the company that leverages VMware's 
strength in virtualization to create a commanding 
beachhead in the burgeoning cloud computing 
space. 

Yet as successful as VMware has been over the 
past decade, it now faces more competitive pres¬ 
sure than ever. Microsoft continues to improve its 
virtualization offerings, with Windows Server 2008 

R2 now offering a long-awaited Live Migration feature comparable to VMware's 
impressive vMotion technology. Oracle has acquired virtualization platform 
providers Virtual Iron and Sun Microsystems, and Citrix continues to improve its 
XenServer, XenApp, and XenDesktop products. 

To get an update on how VMware plans to keep the competition at bay, I 
recently chatted with Paul at the VMware campus in Palo Alto, about competing 
with Microsoft, the launch of vSphere 4.0, and what the future holds for virtual¬ 
ization in the enterprise. (Editor's Note: You can read the full-length version of 
this interview online atwww.windowsitpro.com, InstantDoc 102507.) 

How does the launch of vSphere 4.0 fit into the larger strategic vision 
of where you want to take VMware in the next few years? 



VMware CEO 
Paul Maritz talks 
about vSphere 4.0, 
virtualization as a 
cloud platform, and 
VMware's competition 
with Microsoft 


Paul Maritz: Customers have this dilemma in that they want to get a fun- ku Ipff rnpC 
damentally simpler, more efficient way of running IT. I've quoted some ' 
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statistics that indicate 75 per¬ 
cent of some IT budgets goes to 
keeping the lights on, keeping 
the water flowing, and the rest 
of it. People are noticing that 
that's unsustainable in the long 
term, that increasingly boards 
of directors are asking harder 
and harder questions about that. 

Some of them open their papers 
on the airplane and read about 
all the cloud magic that is hap¬ 
pening and they're coming back 
to their IT organizations and 
saying "Why are we stuck in the 
Dark Ages here? Why don't we 
just jump into the cloud and fire 
all you guys?" 

It's indicative of a real chal¬ 
lenge here because existing IT 
cannot just jump into the cloud. 

They have existing applications 
that are never going to get rewritten; they 
have real security concerns, so the challenge 
for the whole industry is how do we provide 
cloud-like capabilities into the existing data 
in a digestible, evolutionary way? We think 
that virtualization, broadly defined, is the 
key to doing that. And I mean that, whether 
it comes from us or someone else. There is 
no other strategy that is going to cut through 
these tentacles of complexity and allow 
people to get out of the trap they are in right 
now and reach forward to a simpler, more 
efficient environment. 

And to do that, you have to take a much 
broader view of what virtualization is. It has 
to become, essentially, this layer of software 
that truly hides all the complexity in the 
resource layers, whether those be hard¬ 
ware or software resources, and frees the 
application of having to know too much or 
being dependent upon anything else down 
there. So, why we chose to draw a line with 
vSphere, and say this is really a generation 
change going forward, is that it's not only 
doing more and better of what virtualization 
did in the past, in terms of scalability and 
performance, et cetera, but it really is about 
enabling a whole new set of functions to 
become virtual as well. And to really get this 
vision of the internal cloud to come about, 
anything that is tied to a physical device 
today has to be freed from that device. So 
whether it be a firewall, a router, a data 
scanning engine, or whatever—all those 


1 
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puting to what Microsoft has articulated as 
its strategy? 

Paul Maritz: Well, we, more so than Micro¬ 
soft, have worked very hard [to get to the 
point where] anything you put into this 
container we call a virtual machine can get 
full benefits, and you don't have to do any 
rewriting of the code. And that's harder to 
do—you have to really work hard at it—but 
that's the essence of who we are. 

Jeff Jame! Our readers have a lot of con¬ 


There is no other strategy that is going to 
cut through these tentacles of complexity 
and allow people to get out of the trap they 
are in right now and reach forward to a 
simpler, more efficient environment. 


things that today are physical boxes have 
to transform into things that can essentially 
be attached to these applications and move 
around with the applications. 

In that sense, this layer of what tradi¬ 
tionally we'd call virtual infrastructure has 
become an operating system for the data 
center, or if you want to be more sexy, for 
the cloud. And really that is the vision that 
we can take our customers on: Here is a 
nondisruptive way of taking your existing 
applications and starting to get control of 
the complexity and get to fundamentally 
higher levels of efficiency, simplicity, and 
manageability. 

As we hide a lot of the complexity, it 
also opens up the opportunity for people 
to essentially provision their infrastructure 
in different ways. Instead of buying it and 
running it themselves, they can rent it in the 
future. So part of this is working with the ser¬ 
vice provider community sites—the ultimate 
freedom is that not only will the way that you 
look at and run your applications be simply 
more efficient, but you'll actually have the 
opportunity to partially, or even completely 
down the road (but more likely partially), get 
out of the data center business. 

Jeff James How would you compare your 
approach to virtualization and cloud com¬ 


cerns about cloud computing. How will 
you address things such as security, identity 
management, and data protection, regard¬ 
less of whether it's an external cloud or an 
internal cloud? 

Paul Maritz: Well, the internal cloud is a lot 
easier to address because we provide a lot 
of the tools that you need to ensure security; 
as Steve [VMware CTO Steven Herrod] has 
been saying, we have the ability to essen¬ 
tially create secure zones in all those areas. 
So even though we're moving things around 
dynamically in order to take best advantage 
of the available hardware, we make sure 
that the security policies you've set up are 
glued to the application and travel with it. 
That's an example of how things are physi¬ 
cally done today—you do a lot of security 
by putting firewalls around the edges. But 
when the applications are moving around, 
what do you do? Do you send a guy out to 
pick the firewall up and run over and put it 
down somewhere else? 

What happens now is that firewall, figu¬ 
ratively speaking, travels with the applica¬ 
tion, and gets bound in a very real sense 
with the application itself. So, you can argue 
that the internal cloud will actually be more 
secure than the existing data center because 
it won't be as dependent on human beings 
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to have to remember how to patch things 
up. We think we can make with a straight 
face the claim that the internal cloud will 
actually be a more secure and compliant 
environment. 

So, the internal cloud I think is a good 
story. The external cloud is obviously a 
more challenging story because, number 
one, a lot of things are subject to regula¬ 
tion. You can't just put data wherever you 
want to—those regulations, for better or 
for worse, are written in physical terms. 
I sign a piece of paper every quarter [for 
compliance with] Sarbanes-Oxley that says 
we have a policy about who can get access 
to our data center and who can't, and it's 
all based upon who has a card key to get 
where. Obviously, that becomes a differ¬ 
ent issue when you start putting things in 
someone else's data center. 

So, there's going to need to be some 
maturation in the industry here. But on 
the other hand, there's a lot of very sensi¬ 
tive information that is already outsourced. 
Every company in the Western world, basi¬ 
cally, outsources their payroll. The payroll 
guys hold my Social Security Number, all 
sorts of really sensitive things, but we all 
trust ADP to do that. That's because it's been 
built up for a period of 30 or 40 years now, 
and ADP has put the right checks and bal¬ 
ances and safeguards in place. 

And I think the same set of things will 
evolve here—people will become more 
sophisticated in their choices for who their 
service provider or cloud partner will be, 
and they'll be able to differentiate between 
people like ADP, who have earned the right 
to hold the Social Security Number of every 
single one of your employees, versus Joe's 
rent-a-box down the corner. 

Jeff James : When we met last year at 
VMworld, I asked you specifically about 
how you'll compete with Microsoft. Could 
you talk a little more about howyou're going 
to continue competing with Microsoft? 

Paul Maritz: We have got to do a better 
job at what we do, which is being able to 
aggregate and scale and do virtualization 
better than they do. And secondly, we have 
to lead, so this whole notion of how do you 
virtualize not just the CPU and the memory 
but all of the infrastructure in the data center 
is something we've been working on for a 
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couple of years now and they haven't even 
gotten to that point now. 

ames: And all of the stuff you're work¬ 
ing on with your partners .... 

Paul Maritz: Right, reflects that. So, that's 
the point of staying ahead of them. And then 
thirdly, you have to do things that they are 
going to be reluctant to do. They are going to 
be reluctant to provide really great support 
for alternative programming frameworks, 
whereas we intend to embrace all the new 
programming frameworks that come out. 

Jeff James One of the things I noticed in 
the product rollout for vSphere 4.0 is the 
number of editions of the product you're 
providing. Some of them are targeted at the 
small-to-medium business (SMB) market. 
Is the introduction of these versions driven 
by Microsoft entering the market with 
Hyper-V, or are you responding to the lack¬ 
luster economic conditions, or is it a combi¬ 
nation of factors? 

Paul Maritz: It's really a combination of 
realizing that while there's a high degree of 
overlap between the needs of the enterprise 
and the SMB, actually, in a weird way, it's 
some of the more advanced features that the 
SMB guys need. But you need to be able to 
package it and make it in a more complete 
form for the SMB because they don't have 
internal staff—they want to just take some¬ 
thing and have it work. 

So part of it is realizing, while there's a lot 
of commonality, we have to address the spe¬ 
cific needs of the SMB market, which is both 
a need for greater completeness and a lower 
price in some cases. We've tried to find that 
sweet spot that we think will make it easier 
for our channel partners to reach their cus¬ 
tomers and do business with them. 

And the other thing that I've done in 
that space is, as you know, since July of last 
year we've been giving away ESXi. We've 
had about 9,000 downloads a week of ESXi. 
A lot of those are people kicking the tires 
or downloading because they have noth¬ 
ing better to do, but some of those do get 
deployed and anchored, and even if it's 10 
percent, it's still a substantial amount. So 
one of the packages we have is targeted at 
providing an upgrade path specifically for 
those customers. 
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ames; What would you say to an IT pro¬ 
fessional or CIO who's evaluating vSphere 
to convince them to go with vSphere rather 
than a competitive solution? 

Paul Maritz: I think there are two major rea¬ 
sons. One is we can run your aggregate infra¬ 
structure more efficiently, whether it be CPU 
utilization, storage, or power. [We've seen sta¬ 
tistics that show that] in certain situations— 
just by upgrading from VI 3.5 to vSphere 
4.0—you can save $2 million in terms of lower 
power utilization, better storage utilization, et 
cetera. So, number one, it's greater scale and 
efficiency, and one of the sub points under 
that is we can handle any load of knobs. So 
now, with a straight face, we can say to people, 
"You should virtualize 100 percent of your x86 
environment." The second major reason is it's 
simpler in high-level management. 

ames That's been a big issue with our 
readers. We've heard from a lot of readers 
that managing VMs is difficult. 

Paul Maritz: We've done a lot of work to 
address all those concerns: VM sprawl, VM 
lifecycle, all of that kind of stuff. You're going 
to see a lot of management suites come out 
from us, due in the remainder probably of 
this year, that target the principle scenarios 
that people have. One of them is manag¬ 
ing the VM lifecycle—how do you prevent 
VM sprawl? We have things in there where 
VMs will have predetermined lifespans so 
unless you do something to them, they 
blowup. They'll go away after three months 
so you don't have zombie VMs running 
around. 

[We've heard from customers that they'd 
like improved management for] disaster 
recovery, test and development, and the 
application-level management. So we're 
targeting these high-level scenarios with 
virtual machine, test and development, 
disaster recovery, and application manage¬ 
ment solutions, trying to get people up and 
away from the plumbing. ^ 
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Utilities 

A s I started researching this fourth article in my "Free Utilities" series, I knew 
this installment would be the most challenging yet. Finding good, reliable, 
useful free utilities is always a daunting task, but unearthing the tools that are 
relevant to IT pros' day-to-day responsibilities is even more difficult. However, 
the challenge can be quite rewarding. When you find a powerful, useful utility, 
the payoff comes in time saved, headaches reduced, and end users satisfied— 
always worth the effort. So, without further delay, here's a brand-new collection of 8 utilities 
that will help make your life easier. 

WinAudit 

Parmavex Services' WinAudit isn't the only tool on the market that provides auditing capa¬ 
bilities for Windows systems, but it does its job in a compact, standalone 830KB executable 
file and runs on every version of Windows (desktop and server) back to Windows 95. (Win¬ 
dows Server 2008 support isn't officially listed, but I've tested it and found that it works fine.) 

You can easily keep WinAudit on a USB drive and use it on any system from which you need 
to quickly collect configuration data. The data that WinAudit pulls together is comprehensive, as you 
can see in Figure 1, page 32, and you can save all this data to a file (text, .xml, .csv, .pdf), email it to 
someone, or even export it to a centralized database. 

As a bonus, WinAudit supports command-line execution, with all the output options available 
except email. (WinAudit doesn't include its own email client, so it relies on Microsoft Outlook.) In 
less than an hour, you can easily edit the logon scripts within your entire Windows network, add in 
WinAudit with configuration parameters to output the collected audit data to files or a database, and 
display an informational message to users while the audit is running. WinAudit is generally pretty 
quick: Execution on my Windows XP test system took a little less than 60 seconds. 

Keyfinder 

With WinAudit, over the course of a single lunch hour you can have a comprehensive auditing solution 
deployed to your network for no cost, storing data in a file or writing it all to a central database. But 
something that WinAudit doesn't capture is the various license keys for OSs and applications installed 
on those systems. 
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Figure 1: WinAudit's display 
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Figure 2: The Keyfinder Ul 


Enter Magical Jellybean Software's Key- 
Finder, whose sole purpose is to capture 
all this data where possible and display it 
or store it for you. Again, acting as a stand¬ 
alone package (no installation required) 
and weighing in at just over 600KB, it's 
storable on a USB drive for quick auditing 
use whenever you need it. Keyfinder works 
on every version of Windows (desktop and 
server) back to Win95 (including Server 
2008). 

As you can see in Figure 2, Keyfinder 
found the license keys for all the Microsoft 
products on my test system, as well as 
license keys for installed third-party soft¬ 
ware. Keyfinder does this by searching a 
configuration file (keyfinder. cfg) for clues 
about where it should look in the registry 
for license keys for various applications. 
The default keyfinder. cfg file that Magical 
Jellybean Software provides contains the 
known locations of license keys for more 
than J60 commercial applications, and the 
text file is a simple delimited format, which 
you can easily modify for your purposes. 
Unfortunately, of the J60-plus applications 
that are preconfigured in Keyfinder's con- 
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figuration file, many of them appear to be 
consumer applications (e.g., games, CD 
burners, media players), so you might need 
to do a little homework before Keyfinder 
reaches its maximum usefulness in your 
environment. 

Fike WinAudit, Keyfinder executes in 
command-line mode and writes its data to 
a custom CSV file for each system you run 
it on. So, once again, over the course of a 
lunch hour, you can configure Keyfinder 
to execute via logon scripts for your users 
and write the license key data for various 
applications to a central repository for com¬ 
pliance-auditing or backup purposes. As 
you add new applications to your enterprise 
over time, you can simply edit the main 
keyfinder.cfg file on your network to define 
where the license keys are stored in the 
Windows registry, and each system on your 
network will begin to log this data the next 
time its logon script executes Keyfinder. 

Eraser 

Heidi Computers' Eraser is a freeware utility 
that securely wipes out data on your drive 
so that it can never be recovered—even 

We're in IT with You 


with advanced forensic and data-recovery 
utilities. With various erasing strategies 
available (from multiple wipes with pseudo¬ 
random data to United States Department 
of Defense—5220-22.M—specifications), 
Eraser will make sure that no one can 
recover data from your organization's drives 
after it's deleted. 

Eraser's interface is simple. You can use 
it for on-demand deletion of various areas 
on the disk, or you can run a scheduled 
purge of certain locations of the drive, as 
Figure 3, page 34, shows. Eraser can run its 
data destruction on the "unused” space of 
a drive (which would include any deleted 
files), a specific set of folders, or on one 
specific file. By default, Eraser comes with 
a number of data-overwriting strategies— 
from J to 35 writes—or you can build custom 
overwriting profiles as necessary. Eraser also 
integrates itself into the Windows Explorer 
shell so that if you right-click a file or folder, 
you have a new Erase option with which to 
securely wipe data immediately. 

In my testing with the data-recovery 
utilities later in this article (i.e., NTFS- 
Undelete, PhotoRec), I found that after 
I used Eraser to securely wipe out files, I 
wasn't able to retrieve them at all—not even 
parts of the data—no matter what I tried. 

NTFSUndelete 

In keeping with the data-recovery theme, 
A-FF Data Recovery's NTFSUndelete is an 
easy-to-use, freeware data-recovery utility 
that recovers deleted files from NTFS file 
systems. Available as an installable Win¬ 
dows application or a bootable ISO image, 
NTFSUndelete might be able to help you 
retrieve data that's been deleted from an 
NTFS volume. 

When you delete a file from NTFS— 
whether you completely delete it or put it 
in the Recycle Bin and empty it—the file 
hasn't actually been deleted. All that has 
taken place, as far as the file system is con¬ 
cerned, is that the directory entry for the file 
is marked as deleted, thereby making that 
space available to the system to write some¬ 
thing else on top of it. Therefore, recovering 
a file moments after it has been deleted is 
often a trivial exercise, as long as no other 
write requests from the system have taken 
up the same space. 

The Windows interface for NTFS¬ 
Undelete is straightforward: Simply launch 


www.windowsitpro.com 






































APC introduces 
the simple, 
complete, 
cost-effective 
way to upgrade 
your server room... 


APC rack-based cooling offers 
cost-effective, future-proof solution 

Is your server room a barrier to adopting new technologies? 

Consolidation, virtualization, network convergence, blade servers—these new tech¬ 
nologies improve efficiency, cut costs, and allow you to “do more with less.” But 
they also bring high-density power, cooling, and management challenges that server 
rooms were never designed to handle. You’re relying on guesswork, depending on 
building air conditioning, or improvising remedies. So how can you increase the level 
of reliability and control in your server room without spending a fortune? 

Introducing the APC by Schneider Electric total server room solution 

Now you can get power, cooling, monitoring, and management components 
that easily deploy together as a complete, integrated solution. Everything has 
been pre-engineered to work together and integrate seamlessly with your existing 
equipment. Just slide this proven, plug-and-play solution into most existing spac¬ 
es—there’s no need for confusing cooling configurations or expensive mechanical 
re-engineering. The modular, “pay as you grow” design lets you be 100 percent 
confident that your server room will keep pace with ever-changing demands. 
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APC rack- 
based cooling 
draws in hot 
air from the 
rear, at its 
source, and 
then sends 
conditioned 
air out the 
front, ready 
to be used 
by adjoining 
racks. 


Get pre-validated 
high-density cooling 
as a single offering. 

APC InRow SC System combines 
an InRow SC precision cooling unit 
(up to 7kW capacity), NetShelter 
SX rack enclosure, and a Rack Air 
Containment System, fora limited 
time at a discounted price. * 



If you don't... 

Introducing the NetShelter Office CX: Portable 
server cabinets, with extreme noise reduction, 
designed for office environments. 


Future-proof your server room easily, cost-effectively 

APC takes the hassle out of configuring server rooms. Self-contained InRow cool¬ 
ing units, high-density NetShelter enclosures, and the APC rack air containment 
system combine to create a proper IT ecosystem in almost any surrounding. Rack- 
level monitoring sensors, intelligent controls built into the cooling unit, and inte¬ 
grated management software provide complete remote control and unprecedented 
visibility into the entire system. Simply add power protection (like undisputed best- 
in-class Smart-UPS or Symmetra units) and you have a total solution for today, 
tomorrow, and beyond. 




Learn how to reduce cooling expenses 
with our FREE Cooling Efficiency kit 


Visit www.apc.com/promo Key Code k301w • Call 888-289-APCC x6076 • Fax 401-788-2797 
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Figure 3: Scheduling an Eraser job 

the application, select the drive you're try¬ 
ing to recover files from, and NTFSUndelete 
begins searching the drive for deleted files 
to recover. When the scanning process is 
complete, a directory tree listing appears 
on the left side of the NTFSUndelete win¬ 
dow. Some of the directory names in this 
window are grayed out, and others aren't; 
the folders that aren't grayed out are the 
ones that NTFSUndelete sees as having 
files that it might be able to recover. The 
Recycle Bin is typically stored in the C:\ 
RECYCLER directory, and in Figure 4 you 
can see that it was able to find 10 picture 
files that I had deleted from my Recycle Bin 
moments beforehand. Simply selecting the 
files and clicking the Recover Marked Files 
tab begins the recovery process and lets you 
select a target directory to which to write the 
restored files. NTFS-Undelete successfully 
retrieved all 10 files that I had deleted, with 
no trouble whatsoever. 

PhotoRec 

There are times when NTFSUndelete might 
not work for you. What if the data is still 
on the drive, and yet no directory entries 
remain to use as a starting point for NTF- 
SUndelete's recovery approach? If a portion 
of the data is available on the drive, a tech¬ 
nique called data carving might be able to 
recover it. PhotoRec is the leading freeware 
utility for attempting a data-carving recov¬ 
ery on a drive. 

Data carving is a method of data recov¬ 
ery that can retrieve data for which no reli¬ 
able file system allocation information can 
be detected. Data carving requires searching 
through the raw sectors on a drive, look¬ 


ing for specific file signatures 
to identify sectors and clusters 
that make up a known file type. 
Think of it as a recovery method 
that completely ignores the 
entire directory/file structure on 
the drive and looks for finger¬ 
prints of common file types—for 
example, pictures, documents— 
to reassemble what it can. 

PhotoRec (created by Chris- 
tophe Grenier at CGSecurity) 
performs data-carving recovery 
from EXT2/EXT3/FAT, NTFS, 
and HFS+ file systems, and can 
recover data from more than 
180 known file types, including 
various multimedia files, archives, Microsoft 
Office documents (including .doc, .ppt, .xls, 
and their Office 2007 counterparts), .pst 
files, and all sorts of other interesting file 
types, such as Microsoft Money, Quickbooks 
and Quicken, and Turbo Tax. Just launch the 
utility and walk through the menus to begin 
data-carving recovery on your hard disk. 
PhotoRec's DOS-like UI is somewhat basic, 
so you'll probably want to refer to CGSecu- 
rity's website for details about how to use the 
utility. But once you start the tool, it will look 
through the drive and recover the files that 
it can. The process can take a while—as you 
can see in Figure 5, a scan of my test system's 
30GB drive would take several hours—but 
considering that the data is otherwise unre¬ 
coverable, the time PhotoRec needs is often 
worth the effort. 

Data carving usually requires that the 
files to be recovered be 
located in sequential 
sectors (rather than 
fragmented across the 
drive) because there's 
often no reliable mech¬ 
anism to map a way 
through the fragmented 
file portions. PhotoRec 
claims that it can deal 
with some situations of 
"low data fragmenta¬ 
tion," but sometimes it 
just won't be able to 
recover a fragmented 
file. However, when it 
can recover a file, Pho¬ 
toRec works extremely 
well. 
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Active Directory Change Reporter 

As AD becomes an increasingly critical com¬ 
ponent of enterprise networks, keeping tabs 
on what's going on inside AD is an important 
task for any network administrator trying 
to keep his or her network healthy. Unfor¬ 
tunately, Microsoft doesn't include many 
ready-to-use tools for this purpose. Sure, you 
can use tools such as the Microsoft Manage¬ 
ment Console (MMC) Active Directory Users 
and Computers snap-in and search for things 
manually, but a way to track changes over 
time would have been a nice addition. The 
folks at NetWrix created the Active Direc¬ 
tory Change Reporter utility, which Figure 6 


NTFS Undelete 
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Figure 4: NTFSUndelete recovering image files 
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Figure 5: PhotoRec looking for recoverable files 

shows, for just this reason, and they offer a 
free version to anyone who wants it. 

Active Directory Change Reporter is a 
simple utility that you can download and 
install on any system in your network. 
Essentially, it takes a snapshot of your AD 
environment every day and compares it 
with the previous day's snapshot, mak¬ 
ing note of differences. In its most basic 
mode, you can simply have it email you 
a daily HTML report of the changes, but 
the freeware version of Active Directory 
Change Reporter can also perform some 
more advanced operations such as "rolling 
back" unwanted changes. 

There are a few limitations to the free¬ 
ware version of Active Directory Change 
Reporter. You can't store a long-term 
archive of changes made to AD, and the 
utility won't log who (or what) made the 
change in your environment. Given these 
two limitations, the freeware version prob¬ 
ably isn't going to meet stringent compli¬ 
ance-reporting requirements that many 
organizations now face. However, it's still 
a useful utility to have in your environ¬ 
ment, and it maintains a small footprint. 
Just install it, run the configuration utility 
(which sets up a scheduled task in your 
environment), and you're done. 

My best suggestion is that if you decide 
to stick with the free version, make a special 
email account (e.g., adchanges@mycompany 
.com) in your environment to receive the 
daily reports and store them there over time. 
Reading through change reports every day 
might get boring after a while, but if you have 
a log of all your changes over time, you can 
always search that account for the reports 
you want if you ever need to track down a 
change. 


NMap 

I've written three previous articles about 
free utilities for Windows IT Pro magazine, 
and I can't believe I've overlooked NMap 
until now. NMap is a network security 
scanner that originally came from the 
UNIX world over a decade ago, but to 
describe NMap as "just a port scanner" 
would be like describing the Hummer 
as "just a truck." NMap is, by far, one of 
the most in-depth network security scan¬ 
ning tools available 
on any platform, at 
any price. 

Available as a 
Windows execut¬ 
able, NMap scans 
the IP addresses and 
subnets you instruct 
it to and gives you a 
wealth of informa¬ 
tion about any hosts 
it finds: running 
services, responses 
received on various 
TCP ports, versions 
of applications that 
are listening on 
those ports, and 
more. Through a 
series of advanced 
TCP/IP fingerprint¬ 
ing techniques, it 
will even try to guess 
the target host's OS. 

As you can see in 
Figure 7, page 36, 
in which I ran a test 
against Wikipedia, 

NMap guessed that 
there's a 93 percent 


chance that the OS in use is Ubuntu Linux. 
A quick look at Wikipedia's own technical 
FAQ confirms that it is, in fact, running 
Linux—although the FAQ claims that the 
site is running Fedora's distribution. 

For your IP network security needs, 
NMap is a must-have tool. The GUI is a great 
way to get familiar with the tool at first, but 
once you've learned the various command¬ 
line switches to run NMap, you can simply 
run the nmap.exe application directly and 
skip the GUI. The command-line flexibility 
provides many possibilities for batching and 
scripting NMap's operation. 

BotHunter 

Five years ago, in "Sniff with Snort" (Instant- 
Doc ID 42606), I wrote an article about 
implementing Snort—the world's leading 
open-source intrusion-detection suite—in 
a Windows environment. Snort is a terrific 
utility, and to this day I still recommend 
it to anyone who needs a good, reliable 
intrusion-detection tool to protect their 
networks. But Snort takes some time to 
get working just right, and it still relies 
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Figure 6: Configuring Active Directory Change Reporter 
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Figure 8: BotHunter's main information screen 


solely on a “signature matching” algorithm 
within single data packets to detect intru¬ 
sion attempts. 

That's still an effective (and necessary) 
approach for intrusion detection in an 
enterprise network, but SRI International's 
BotHunter takes matters a step further, 
adding a higher level of intelligence to 
the process. By correlating a number of 
packets over time and watching for the sig¬ 
nature communication sequences that hot 
software typically utilizes—exploit usage, 
payload downloading, outbound hot coor¬ 
dination dialogs, outbound attack propa¬ 
gations, and so on—BotHunter can detect 
problems that simple intrusion detection 
can't. Although any individual packet 
might or might not be picked up by an 
intrusion-detection engine such as Snort, 
BotHunter's intelligent correlation engine 
can watch a system's communications over 
time and try to tie all the individual events 
together to determine whether a hot is 
operating in your network. 

The most impressive aspect of Bot¬ 
Hunter isn't just its advanced approaches 
to solving this type of security problem 
but the flexibility that SRI International 
provides—freely—to individual users and 
corporate users alike. If you're a freelance 
professional who wants to make sure your 
individual workstation isn't infected by a 
hot the next time you use free WiFi at your 
favorite coffee shop, BotHunter can help. 
If you're an enterprise network adminis¬ 
trator who wants to keep track of traffic 
throughout your entire network and have 
access to a Switched Port Analyzer (SPAN) 
port or some similar means of watching 
all your traffic, BotHunter can help you 
out, too. 

BotHunter's installation is relatively 
straightforward: Simply launch the installer 
executable and follow the prompts. To 
operate properly, BotHunter requires the 
Java Standard Edition Runtime Engine and 
WinPcap—a promiscuous-mode packet- 
capture driver. The installer determines 
whether you already have these installed, 
and it downloads and installs them for 
you if you don't. The only other thing Bot¬ 
Hunter asks you to provide is your net¬ 
work's IP address particulars—what sub¬ 
nets you have, where your DNS servers 
are, where your mail servers are, and so on. 
After that, BotHunter is ready to run. 


Figure 7: NMap scanning results forWikipedia.org 


If you see an alert come up in the GUI, 
which Figure 8 shows, you can then inves¬ 
tigate it within your network and determine 
the problem. There aren't any alerts that 
BotHunter can send out right now, so you'll 
have to check the GUI from time to time, 
but posts in SRI International's user forums 
indicate that email notifications are coming 
in a future release. 

We're Up to 32 

So, now you have eight more free utilities to 
add to your toolbelt. This batch will help you 
inventory your systems, recover lost data, 


and help keep your network secure. Of all 
the tools here, my favorite is PhotoRec, but 
I hope that you find all of them useful and 
that they can make your job a little bit easier. 
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7:00 am-5:00 pm 

Conference Registration 

7:00 am-8:00 am 

Continental Breakfast 

8:00 am-9:00 am 

Keynote 

9:30 am-10:30 am 

Conference Sessions 

10:45 am-11:45 am 

Conference Sessions 

11:45 am-1:30 pm 

Lunch 

1:30 pm-2:45 pm 

Conference Sessions 

3:00 pm-4:30 pm 

Conference Sessions 

5:00 pm-7:00 pm 

Expo Hall Opens/Opening Reception 

WEDNESDAY, NOVEMBER 11,2009 

7:00 am-5:00 pm 

Conference Registration 

7:00 am-8:00 am 

Continental Breakfast 

8:00 am-9:15 am 

Conference Sessions 

10:00 am-11:15 am 

Conference Sessions 

11:30 am-12:45 pm 

Conference Sessions 

12:45 pm-2:15 pm 

Lunch 

2:15 pm-3:30 pm 

Conference Sessions 

4:15 pm-5:30 pm 

Conference Sessions 

THURSDAY, NOVEMBER 12,2009 

7:00 am-8:00 am 

Continental Breakfast 

8:00 am-9:15 am 

Conference Sessions 

9:30 am-10:45 am 

Conference Sessions 

11:30 am-12:30 pm 

Conference Sessions 

12:30 pm-2:15 pm 

Lunch 

2:00 pm 

Cruise Raffle 

2:15 pm 

Expo Hall Closes 

2:15 pm-3:30 pm 

Conference Sessions 

4:00 pm-4:30 pm 

Closing Session & Prize Drawing 

FRIDAY, NOVEMBER 13,2009 

9:00 am-4:00 pm 

Post-conference Workshops 


Nov. 9-12,2009 • Las Vegas, NV 

Mandalay Bay Resort and Casino 



A CONNECTIONS CONFERENCE 


Celebrate the launch of Exchange Server 2010 and Windows 7 
with Microsoft and industry experts. 

Find out from industry insiders the best migration path if your 
company is considering an upgrade. 

Listen to Microsoft discuss details of SharePoint 2010. 

Choose from over 200 sessions delivered by 125+ industry 
experts. 

Enroll to attend one show and you can cross over to attend 
sessions at any of the co-located shows for FREE! 

Sessions on current technology as well as highlights of the 
new stuff. 

Extend your professional and social network at our events 
outside of the sessions. 

Find products and services from our partners in the Expo Hall 
that can save money, save time, and help your business do more. 

Book your hotel early and take advantage of GREAT hotel rates at 
Mandalay Bay ($ 149/night). Book 3 nights and get a $100 
Mandalay Bay certificate. Enjoy a 4-star experience at a 2-star 
price on the Las Vegas Strip! 

Enjoy the excitement and luxury of one of Las Vegas 7 premiere 
hotels while you experience one of the best technical conference of 
your career. You know that Las Vegas is famous for some of the best 
dining, shows, shopping, and 24/7 buzz of anywhere in the world. 
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IToROFErrIONAL • ADMINIrTRATOR • ENGINEER • TECHNICIAN • EXoERT 


Celebrate the upcoming releases of 
Exchange Server 2010 and Windows 711 


Keynote 5| 
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Steve Riley 


MarkMinasi 

MR&D 

Best-selling Author, 
PopularTechnology 
Columnist, Commentator 


rcott Guthrie 

Microsoft 

Corporate Vice 
President, .NET 
Developer Division 


Thomas Rizzo 

Microsoft 




w. 


Tony Redmond 

HP 


Director, Vice President, 

SharePoint Group Innovation and Community, 
EDS CTO Office, HP 





■ Get a high-level overview of new features and functions in Exchange Server 2010 and get answers to some questions to consider 
before moving forward with Exchange Server 2010. 

■ Find out your options for deploying RODCs in the DMZ. 

■ Avoid those startup challenges for your own Hyper-V implementation. 

■ Integrate SharePoint document libraries and traditional file libraries. 

■ Learn about server virtualization attacks and how to avoid them. Learn about server virtualization tools. 

■ Make sure your SQL Server is properly backed up. 

■ Get started on the Unified Communications Voice journey armed with the right questions for success. 

■ Learn how the new releases of OCS R2 and Exchange Server 2010 work better together and how to implement them to save money 
and do more with less. 

■ Listen to suggested top tips that can save on IT infrastructure costs. 

■ Unlock the value of social and knowledge networking. 

■ Troubleshoot Group Policy for Windows Vista and Windows 7. 

■ Find out why you don't need Windows Server 2008 to get the new stuff in Group Policy. 

■ Cut through the time-consuming process of understanding how to create, manage and manipulate VHDs in Windows. 

■ Learn how to re-architect an existing SharePoint environment or build a new one using best practices. 

■ Understand which architectural components of SharePoint are good and bad candidates for virtualization. 

■ Look at sofi e design principles that can be used to secure SharePoint such as designs with farfi s in the DMZ of firewalls, Content 
Publishing, and Forfi s-based Authentication. 

■ Discover best practices and inside information about truly accessing Exchange service in the cloud. 

■ Learn the various options available for High Availability in Exchange Server and the process involved in getting from a non-HA 
solution to a HA solution. 
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CONFERENCE SESSIONS 


WIN321: Can Windows 7 and Server 2008 
R2 Help Secure Your Network Better - 
and What Will It Cost? 

MARKMINASI 

A look at the list of Windows 7's premier"big" new 
features (VHDs, the Ul changes, libraries, BranchCache, 
DirectAccess, AppLocker, BitlockerTo Go) will reveal 
that three out of that seven (the last three) are 
security-related items. In this session, Windows 
security consultant and writer of the world's 
best-selling Vista security book Mark Minasi puts 
these and other Windows 7 and Server 2008 
R2-related security features under the microscope, 
explaining the good, the bad, the inexpensive and 
the pricey. 

WIN218: Easing Management and 
Securing Remote Offices with Windows 
Server 2008 R2 

JOHNSAVILL 

This session will focus on the technologies in 
Windows Server 2008 to help ease management of 
remote offices that require infrastructure but 
typically don't have local administrators or facilities 
for proper server storage while increasing security 
for the organization. Technologies that will be 
focused on and demonstrated will include Server 
Core running ADDS in Read Only Domain Controller 
mode with BitLocker encryption. Demonstrations 
will include services designed to remotely manage a 
Server Core including winRM, how to automate 
server core deployment and what exactly a RODC 
means, and a walkthrough of configuring which 
passwords are kept locally on the server with a 
password hacking tool execution showing most user 
accounts are not stored, negating many of the 
problems of having unsecured domain controllers 
out in remote offices. With PowerShell now 
available in the core version of 2008 R2, we have 
more management options than ever before. New 
Windows 2008 R2 file system technologies such as 
Branch Cache and Read-only DFS replicas will be 
examined and how they enhance the branch user 
experience. 

See Web site os we odd more Microsoft sessions. 


MICROSOFT SESSIONS 

Windows 7 - Coolness - Part 1 

MICROSOFT 

Windows 7 - Coolness - Part 2 
MICROSOFT 

PowerShell for the Windows 7 Enterprise Client 

MICROSOFT 

Advanced PowerShell Scripting for Windows Server 2008 and Windows 7 

MICROSOFT 


Overview of Remote Desktop Services in Windows Server 2008 R2 

MICROSOFT 

Windows Server 2008 R2 - A Technical Overview 

MICROSOFT 

Windows Server 2008 R2 - Group Policy Changes 

MICROSOFT 

Windows Server 2008 R2 - Virtualization Improvements 

MICROSOFT 


RAS? Who Needs It! - Connect Remotely with Direct Access 

MICROSOFT 

Implementing a Work Anywhere Infrastructure with Windows Server 2008 R2 

MICROSOFT 

Best Practices: Securing Hyper-V and Your Virtualization Environment 

MICROSOFT 

Hyper-V: From Zero to Live Migration 

MICROSOFT 

_ J 
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Sessions and speakers ore subject to 
change. See Web site for updated 
session information. 
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CONFERENCE SESSIONS 


WIN101: ESXand Hyper-V Comparison 

ALAN SUGANO 

Microsoft's own hypervisor, Hyper-V, was released 
with Windows Server 2008. It is designed to 
complete directly against VMware's ESX server. How 
do the two products compare? Well consider price, 
performance, hardware requirements, high 
availability, management and other features in 
the comparison shootout. If you're evaluating 
virtualization platforms, make sure to attend this 
session to assist in your decision making process. 

WIN102: Everything You Wanted to Know 
About Storage but Were Afraid to Ask 

ALAN SUGANO 

If your company is like most companies, you are 
probably running low on disk space as storage 
hungry-applications eat up disk space like 
contestants in a pie eating contest. But what's the 
best solution for your company? With the advent of 
newer drive interface technologies like Serial 
Attached SCSI (SAS) and Serial ATA (SATA) there is a 
lot more to choose from when selecting a storage 
solution. This session will cover the storage basics of 
locally attached storage, network attached storage 
(NAS), just a bunch of disks (JBODs) and storage 
area networks (SANs), what they are, where they 
are typically used, and how they fit into a 
comprehensive storage strategy for your company. 

WIN324: Fast Track to Fixing AD Replication 

SEAN DEUBY 

A continuation of the first Fast Track AD session, this 
session will use the flowchart approach to resolve AD 
replication issues. Why should you have to figure it 
out new each time when you can simply follow a 
standardized method? It will build on the foundation 
laid in the first session, focusing on the most common 
ways replication goes wrong, and step through a 
repeatable process you can use to get objects and 
attributes flowing again. 

WIN325: Fast Track to Fixing General 
AD Problems 

SEAN DEUBY 

Active Directory is one of IT's most complex 
infrastructure systems. If AD isn't your sole 


responsibility, when you have problems sometimes 
it's hard to know where to start. What if you could 
just follow a flowchart? This session will show you a 
logical problem-fixing process you can take back to 
the office and use to speed your problem time to 
resolution. Sean will also give overviews of some basic 
tools every AD administrator should be familiar with. 

WIN305: File Sharing Smackdown: 

Shares vs. SharePoint 

DAN HOLME 

SharePoint document libraries are the new file share, 
or are they? What are the pros and cons of using 
SharePoint as a file store? What do file servers offer 
that SharePoint does not? Is a hybrid environment 
desirable or even possible? How can an enterprise 
migrate and integrate these two disparate approaches 
to a common goal? These questions and more will be 
answered by Dan Holme as you take a deep dive into the 
best practices and real-world experiences of enterprises 
large and small. This session will address both the 
strategic and technical details you need to know to 
support collaboration around files in your organization. 

WIN214: Group Policy in 2009 (Part I): 

The Modern Client and the Group 
Policy Preferences 

JEREMY MOSKOWITZ 
Vista has been out for a while. And so have the Group 
Policy Preferences. But are you making use of these 
new technologies? Not yet? Well, you're in luck. With 
an updated GPMC, the Group Policy Preference 
Extensions, an updated "engine" with Vista and 
Windows 7, it's like a Thanksgiving dinner you get to 
eat every day! So come hear the essential "What 
every admin absolutely needs to know"about 
Windows Vista, Windows 7 and Group Policy. Learn 
why you need a modern management station to 
support the new GPMC. Learn how to lock out 
hardware, zap printers and keep yourself out of 
trouble with new"MLGPOs."See the 21 new big 
things Microsoft has gifted every administrator. 

Even if you're not ready for Windows Vista or 
Windows 7 now, that's okay, you positively must 
come to this session to learn the ropes from Jeremy 
Moskowitz, Group Policy MVP. (Notesome material 
is covered in Jeremy's pre-conference workshop.) 


WIN215: Group Policy in 2009 (Part II): 

Troubleshooting 

JEREMY MOSKOWITZ 
With the changes in Windows Vista and Windows 7, 
that means you might need to update your 
troubleshooting skills. Jeremy Moskowitz, Group 
Policy MVP ofGPanswers.com and author of 
Group Policy Fundamentals, Security, and 
Troubleshooting is just the guy to bring you the 
know-how. In this session, you'll learn why you can't 
just run gpresult.exe anymore and get the results 
you want. You'll discover what happens if you 
reconnect to network after a long absence. You'll 
learn how to crack open the new Vista and Windows 
7 event log and trace Group Policy flow to figure out 
what might be going on. You'll learn how to 
troubleshoot the new Group Policy Preference 
Extensions. You'll learn how other areas such as 
Offline Files and Group Policy Software Installation 
can be tweaked to give you just the information you 
need to fix what ails you. If you're looking for Group 
Policy answers to your troubleshooting questions, 
this is the session for you. 

WIN322: How Windows Storage Is 
Changing: Everything's Going VHD! 

MARKMINASI 

Load Windows 7 or Server 2008 R2 on a system, and 
you'll notice something sorta strange: there's no 
boot record or BCD folder. Look at other Windows 7/ 
R2 systems, and you may notice something even 
stranger: there's only one file on the hard disk, and 
yet you can boot the system and run a normal 
Windows system. What's going on here? Simple: 
Windows 7 gets a lot of press for its faster-than- 
Vista performance and newer user interface, but 
there's a lot more to it, including native support of 
VHD files (that's how a one-file system boots) as 
well as a new default disk structure, support of 
direct-to-disk ISO burning, and more. Whether 
you're going to Windows 7 sometime soon or five 
years from now, you'll want to be prepared for the 
changes that Windows 7 brings to storage — and 
who better to prepare you than veteran Windows 
explainer Mark Minasi? Join Mark for this quick look 
at Windows 7/R2 storage and save yourself having 
to read a small mountain of white papers! 
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CONFERENCE SESSIONS 


WIN208: Leveraging SCVMM for Auto¬ 
mated Provisioning of VMs on Hyper-V 

GUIDO GRILLENMEIER 
There are many ways to deploy Virtual Machines on 
Hyper-V servers directly. System Center Virtual 
Machine Manager (SCVMM) adds a few more 
methods that make it even easier to manage a 
larger Hyper-V farm and deploy VMs to it. This 
session will show the different alternatives you have 
when deploying VMs with SCVMM, but will also 
highlight the challenges you may run into when 
automating the whole process. The session will 
answer questions such as: Does cloning virtual 
machines make sense? How does SCVMM support 
this process? How do you create a template from a 
given VM? And more importantly, how do you feed 
that template with the correct input for deploying 
new VMs? How is the whole deployment process 
automated with PowerShell commands? 

WIN306: Managing Administrative Rights 
in Active Directory and on Computers 

DAN HOLME 

Users as local Administrators? Sure, you know it's a 
bad thing, but how, exactly, can you achieve it in the 
real world, where custom and sometimes poorly 
written commercial applications get in the way? And 
what about support personnel? What's the right level 
of administrative access to delegate, and how can 
you most easily manage administrative credentials 
and privilege in your enterprise? The interfaces we're 
given by Microsoft don't help, and in fact result in 
highly over-delegated (not least privilege!) rights in 
Active Directory, on servers, and on workstations. Cut 
to the chase in this practical session and take away 
best practices for securing administration, support, 
and systems in the real world. 

WIN216: Microsoft App-V: How to Keep 
Your Machines from "Blowing Up" 

JEREMY MOSKOWITZ 
Let me guess: your machines just"blow up" now 
and again. And I know why. It's because you have a 
zillion applications on them with a half a zillion 
conflicts and things just "deteriorate" over time. 
Wouldn't it be neat if you could just eliminate that 
problem altogether? Well, with Microsoft's Application 


Virtualization technology (App-V, formerly known 
as Softgrid), you can. It works by "wrapping up" 
your existing software into "sequences,"and then 
putting them into a virtual sandbox. The upshot? 
Your applications aren't running "on" Windows. 
They're running within the sandbox. So, no more 
desktop deterioration. App-V is a big place, but 
come to this session to make sure you know the ins 
and outs before you get it in your organization! 

WIN217: NAP Your World: Howto Keep 
Your Network from Catching the Flu 

JEREMY MOSKOWITZ 
Cough cough. That's the sound your network makes 
when one user doesn't"bundle up"with antivirus 
software. Yep, just one user later, and you've got a 
big problem. So, how do you contain your little 
problems so they don't become BIG problems? NAP: 
Network Access Protection. The idea is that you can 
quarantine"bad"machines, and remediate them and 
make them "good."While they're"bad"they get limited 
access and can't hurt others. When they're "good" they 
get all the network access they need. NAP is nothing 
to sneeze at. So come by and check it out; so you 
don't catch the flu (or worse, pass it on to others.) 

WIN219: Remote Desktop Services in 
Windows 2008 R2 and What We Can Do with 
It, and Maybe, What We Can Get Rid Of 

JOHN SAVILL 

Terminal Services in previous versions of Windows 
has had issues, either with complexities for users 
just trying to do simple items like printing a 
document, complicated session environments just 
to run a single application, and VPN or firewall 
requirements to get access to a terminal server from 
outside the organization. Windows Server 2008 
addresseed all of these issues with a number of new 
technologies and updates to existing technologies 
including TS Easy Print enabling pass through 
printing, enabling remote sessions to take full 
advantage of locally installed printers and drivers, 
published applications for seamless application 
integration with the users desktop and TS Gateway 
for anywhere access to remote sessions and 
applications. Windows Server 2008 R2 adds on to 
these advancements for better performance using 


less bandwidth, an enhanced session broker to 
support VDI and overall improvements to make RDS 
virtual ready. With all these in-box capabilities, 
many organizations are evaluating the need for 
add-on remote solutions. 

WIN309: RODCs in the DMZ? Never! 

Or Should I? 

GUIDO GRILLENMEIER 
It is a compelling option to deploy RODCs in the DMZ 
- they help to reduce the costs of managing another 
AD forest in the DMZ and simplify overall management 
of the DMZ. This was the key reason for HP to leverage 
RODCs quite to the surprise of Microsoft at the time. 
There are even more challenges as to how RODCs work 
"under the hood"that need to be understood when 
deploying RODCs in the DMZ, which would be covered 
by this session. We'll also cover the benefits and 
downsides of deploying RODCs compared to traditional 
methods of authenticating users to resources in the 
DMZ - and help to clarify that RODCs in the DMZ is 
not the right solution for everyone. This session builds 
on the previous"Tales from Deployment of RODCs in 
Large Enterprises"session, but will also make sense 
if you could not attend the first one. 

WIN210: Running AD Domain Controllers 
on Hyper-V 

GUIDO GRILLENMEIER 
Running Active Directory Domain Controllers as Virtual 
Machines has been possible for quite a while and is 
even supported by Microsoft! This is true for Virtual 
Server 2005 and for Hyper-V. This session will not 
only discuss the technical requirements to host an 
AD Domain Controller—either a writeable one, or a 
Windows Server 2008 RODC—as a VM on a Hyper-V 
server. It will also cover the rules you have to follow 
to make this work. 

WIN203: Server Virtualization Security 

ALANSUGANO 

Over the past two years, server virtualization has 
exploded. But how secure is it? We'll examine potential 
vulnerabilities on the server virtualization platform 
and how to address them. This session will include 
best practices to secure your virtual server guests 
and hosts. We'll look at virtualization-specific security 
solutions for different virtualization platforms. Ensure 
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that your virtualization ecosystem is secure by 
implementing the best practices in this session. 

WIN326: The Cheapskate's Advanced 
AD Recovery 

SEAN DEUBY 

It's well known there are different ways to recover 
Active Directory—some easier than others. What's 
not so well known is that you can use some of these 
new easy techniques without the time and expense 
of upgrading your entire domain or forest. This session 
will give you step-by-step directions, customized to 
your deployment level, on how to take advantage of 
the newest and most effective AD recovery features 
with the smallest deployment of Windows Server 
2008 and R2 DCs. 

WIN311: The Real Challenges of 
Operating Hyper-V Clusters 

GUIDO GRILLENMEIER 
This is a session that does NOT compare the features of 
Hyper-V to those of ESX. It also does NOT compare the 
performance of Hyper-V to that of other 
hypervisors. We know they all have their differences, 
but Hyper-V is certainly an attractive option. This 
session concentrates on the challenges of actually 
operating a Hyper-V implementation at enterprise 
scale and how we solved them. Details covered 
include best practices for deploying Hyper-V in a 
cluster, including various little traps that you can 
avoid falling into. Similarly, System Center Virtual 
Machine Manager (SCVMM) brings along its own 
challenges when planning to leverage it in a global 


Hyper-V deployment—though some things are not 
only relevant for larger-scale deployments and need 
to be understood for any size of SCVMM deployment. 
This includes handling of networks in a cluster and 
deployment of multiple disk-drives per VM. The 
session is a result of production use of Hyper-V and 
not from running it in test labs. 

WIN104: Top Items Where Your Company 
can Save on IT Infrastructure 

ALANSUGANO 

During these tough economic times, you may be 
able to help save your company money by reviewing 
your company's infrastructure. From your Exchange 
configuration, backup strategy, WAN charges, spam 
filtering, virtualization, and other areas, you may be 
able to help streamline your company's IT infrastruc¬ 
ture without sacrificing the reliability and 
performance of your network. Use suggestions from 
this session to ensure your company remains 
healthy during the economic downturn. 

WIN120: Virtualization, the Microsoft Way 

JOHNSAVILL 

In this session we will look at all the technologies 
to facilitate virtualization in your organization and 
the technical and business benefits. Key 
technologies explored deal with server virtualization 
using Hyper-V (including Clustering Hyper-V), 
presentation virtualization using new Windows 
Server 2008 terminal services capabilities, 
application virtualization using Softgrid and Kidaro 
technologies. We will look at putting all these 


technologies together for a Virtual 
Desktop Infrastructure (VDI) and how 
solutions such as the Microsoft 
Assessment and Planning Toolkit help us 
get a grasp on the benefits virtualization 
can bring to our organizations. 

WIN223: What Server 2008 R2 
Does for Your Active Directory 

MARK MINASI 
Windows Server 2008 R2 is coming 
soon, and that means new tools for 
directory service IT pros. For the 
occasional admin, Active Directory 
Users and Computers is still around, but 
now it's got a task-oriented sibling, the 
"Administrative Center for Active Directory 
(ACAD)."What's that, you're not a GUI fan? Then 
you'll smile when you learn that under the hood, 
ACAD just kicks off command-line PowerShell 
commands to get its work done, which brings us 
to Windows Server 2008 R2's premier AD 
advance—more than 85 PowerShell cmdlets. 

That might well be enough to justify an "R2" 
upgrade, but there's more: an "AD recycle bin" that 
lets you undelete things that were, urn, 
accidentally eliminated. A centralized, secured way 
to create and manage service accounts. ADLDS 
(what was once called ADAM) as well as AD both 
get new functional modes, and R2 supports 
"offline domain joins." For the details, don't miss 
this fast-paced, entertaining presentation from 
Mark Minasi, author of the world's best-selling 
books on Active Directory! 

WIN226: Introduction to the Cloud: 
Infrastructure, Platform, and Software 
Services 

STEVE RILEY 

WIN327: Security and Compliance 
in the Cloud 

STEVE RILEY 

WIN328: Managing Resources and 
Performance in the Cloud 

STEVE RILEY 
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MICROSOFT SESSIONS - UNDER WRAPS 

Microsoft techs present ten great sessions on Microsoft SharePoint 2010 with a commitment towards 
arming the practical programmer with the knowledge you need to get up to speed quickly with the 
SharePoint platform and tools.The specific SharePoint session titles and abstracts are under NDA until early 
August 2009, but we've seen the line-up and know the agenda will help make developers and IT profes¬ 
sionals both excited and more productive. Visit the SharePoint Connections Web site when we reveal 
the details of this great content. 
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SharePoint Admin 


HIT305: Backup and Restore for SharePoint: 
Protecting Mission Critical SharePoint 
Data with New Tools and Technologies 

MICHAEL NOEL 

As more and more organizations use SharePoint to 
store documents and other critical data, it becomes 
imperative to provide for backup and restore specific 
for SharePoint. While some integrated tools exist to 
provide for disaster recovery, document-level restore 
capabilities are often needed in a SharePoint 
environment. This session covers some of those 
technologies, and focuses specifically on how the 
new Microsoft System Center Data Protection Manager 
(DPM) 2007 product can be used to provide for 
SharePoint-specific backup and item-level restore. 

In addition, specifics on how to integrate DPM with 
a Microsoft Office SharePoint Server 2007 or Windows 
SharePoint Services farm are provided and best 
practice architectural examples for DPM, snapshot 
guidelines, and deployment tips and tricks from the 
field are covered. 

HIT301: Best Practices for SharePoint 
Governance and Design 

DAN HOLME 

You've read the white papers, you've Googled 
governance, but how, exactly, do you design a 
SharePoint implementation that will support 
governance and your information architecture? 

Join SharePoint MVP and consultant Dan Holme 
for a practical, nuts-and-bolts look at the close 
relationship between your information 
architecture and SharePoint's manageability 
controls, and the demands that relationship places 
on your design and infrastructure. Learn how to 
align your governance requirements with 


SharePoint farms, Web applications, and site 
collections. Gain a deeper understanding of the 
intricacies and challenges of designing the logical 
structure of SharePoint, and take away practical, 
blueprint-like guidance to what a governed 
SharePoint implementation might look like in your 
enterprise. 

HIT302: Building Document Content Type 
Solutions for SharePoint 

DAVID GERHARDT 
Content types are a core concept used in Microsoft 
Office SharePoint Server 2007 and are a means to 
manage content and ease reuse within sites. This 
session leverages material from the book Building 
Content Type Solutions in SharePoint 2007 and 
examines ways to get the most out of your 
document content type solutions. 

HIT303: Building InfoPath Form Solutions 
for SharePoint 

DAVID GERHARDT 

With Microsoft Office InfoPath 2007 you can design 
a single form template to be used in SharePoint for 
rich client and browser scenarios. This session 
explores both of these scenarios and offers tips on 
how to optimize your form solutions with 
declarative logic and managed code. 

HIT309: End Excel Hell: Migrate Excel Files 
to SharePoint and Getting Started with 
Business Intelligence 

TY ANDERSON 

There is no doubt that valuable company 
information resides in a plethora of Excel files. 
Financial models, customer lists, hedge fund stock 
projects, serial numbers...you name it and it is 
probably tracked in an Excel spreadsheet 


somewhere. Useful Excel files typically are shared 
with other users via e-mail, file shares, or 
SharePoint. That's fine, but SharePoint is a 
Business Intelligence platform that offers a 
method for migrating (or maturing) Excel files and 
integrating them as part of a Business Intelligence 
solution. 

This session will show how to build a Bl solution 
that begins with a set of Excel files and ends with a 
Bl Dashboard that integrates data from Excel files 
and other data sources. 

HIT310: Implement SharePoint and 
Search for FREE! 

WENDY HENRY 
Don't let budget constraints stop you from 
implementing the collaborative solution your users 
and management demand! For no purchase cost, 
you can implement a SharePoint environment with 
cross-site and cross-platform enterprise search 
capabilities using WSSv3 and Microsoft Search 
Server 2008 Express. Join this session's live virtual 
machine demonstrations on installing and 
customizing Search Server 2008 Express in a WSSv3 
environment to witness how these two powerful 
tools from Microsoft complement each other. Come 
see that free can be valuable indeed! 

HIT202: Improving Your SharePoint 
Designer Workflows 

DAVID GERHARDT 
Microsoft Office SharePoint Designer 2007 allows 
you to write codeless workflows with conditional 
logic, but there are some limitations that come with 
this application. This session identifies some of the 
shortcomings of SharePoint Designer workflows and 
provides workarounds that will help improve your 
automated business processes. 
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HIT201: Knowledge and Social Network¬ 
ing in the Enterprise 

DAN HOLME 

Discover why SharePoint MVP Dan Holme thinks 
"social networking" is a bad word, and why we'll all 
have to "get over" it if we want to remain 
competitive in the coming decade. This session will 
explore the extraordinary value found where human 
activities and information intersect, and how you 
can unleash that value within your organization. 

HIT101: MOSS Administration Roadmap 

MICHAEL BLUMENTHAL 
Want to be an expert MOSS Administrator in an 
hour? Too bad. The reality is that in an hour, you'll 
barely scratch the surface. Often, the product is so 
overwhelming, new administrators don't know 
where to start. This session will fix that. Think of it as 
your guide on the road to competency. Get an 
overview of the essentials, learn mistakes to avoid, 
and learn how to get the tools you need to get the 
job done. 

HIT207: Optimize SQL Server for SharePoint 

WENDY HENRY 

With so many best practices, white papers and 
technical documents out there regarding SQL Server 
administration for SharePoint, it's hard to know 
where to turn. Attend this session and we will 
quickly weed through the surplus of information 
available to focus on the top strategies for 
optimizing the performance of your SharePoint 
databases! Helpful worksheets and tracking guides 
will be illustrated for not only implementing 
optimization solutions but monitoring ongoing 
database performance in SQL Server 2005/2008 as 
your SharePoint environment grows and changes. 
Don't miss this opportunity to garner the tools you 
need to keep your SharePoint enterprise operating 
at peak performance! 

HIT204: Organize Your Intranet Right 
the First Time! 

MICHAEL BLUMENTHAL 

75% of people surveyed are dissastified with how 

their intranet is organized. If you are one of them, 


come to this session to learn a technique and process 
that can dramatically improve user satisfaction with 
site organization. Learn how to make it much easier 
for site users to find the information they are looking 
for. In this session, I'll provide guidance on how to 
determine the most intuitive system for organizing 
site content (an information architecture), the benefits 
of a content taxonomy, and how you combine these 
with SharePoint structures to build out a highly usable 
and successful Intranet that boosts user productivity 
and user adoption. 

HIT306: Security for SharePoint in an 
Insecure World: Examining Methods and 
Technologies to Mitigate Threats to 
SharePoint 

MICHAEL NOEL 

The collaboration and document management capa¬ 
bilities within SharePoint products and technologies 
are robust and can greatly improve functionality. 

The nature of the modern workplace in many cases 
requires anytime connectivity to the SharePoint 
platform, not only from within the confines of a 
traditional office, but also on the road or in the 
home office. Many organizations are subsequently 
finding it extremely valuable to expose their 
SharePoint environment to the Internet, but are 
being faced with a myriad of security challenges to 
keep their vital organizational information from 
being hacked and exposed. This session focuses on 
outlining the risks of exposing SharePoint to the 
Internet and explaining which technologies have 
been proven to mitigate those risks. From secured 
Web publishing using Microsoft's Internet Security 
and Acceleration (ISA) Server or the Internet Access 
Gateway (IAG) product line, to rights management 
protection, to antivirus with ForeFront Security for 
SharePoint, this session covers a range of security 
concerns and how they can be addressed. 

HIT304: SharePoint Administration 
with STSAdm...Not. Let's Try It with 
PowerShell Instead! 

KEVIN ISRAEL 

Meet the newer kid on the block, PowerShell. Its 
only job in life is to make our lives easier. This session 
not only covers the fundamentals of PowerShell but 


will demonstrate how to make just about anything 
you need to do with SharePoint easier. This session 
will be geared towards developers and architects. 
Want to see STSADM on steroids? Come to this session! 

HIT311: SharePoint Data Entry on a Budget 

WENDY HENRY 

Imagine: a WSSv3 environment with no budget for 
MOSS 2007, Forms Services 2007, or InfoPath 2007 
on every desktop. Sound familiar? Then don't miss 
this session on using WSSv3 tools such as custom 
lists, custom views, and automated workflows to 
help information workers build form-like data entry 
solutions in SharePoint. MS Word forms stored in a 
document library are too easily overwritten and 
non-IT personnel require extensive training before 
they can build Data View Web Parts in SharePoint 
Designer 2007. Experts and novices alike will walk 
away from this session with the skills to implement 
a quick and easy data entry solution for any 
department, from Human Resources to Shipping/ 
Receiving, as soon as you get home! 

HIT203: SharePoint SEO Tips and Tricks 

KEVIN ISRAEL 

We will cover tips and tricks that can be accomplished 
with OOB features that SharePoint provides including 
but not limited to: custom content types, managed 
properties, scopes, and advanced search, just to 
name a few. We will also cover some best practices 
related to SharePoint search. The goal of this session 
is for you to take away a "bag of tricks" that will help 
SharePoint deliver better search results by 
implementing good "front end"strategies that will 
help maximize the SharePoint Indexing and Search 
engine. 

HIT312: SharePoint's Cheap and Easy 
Aggregation Tools Save Time and Money 

WENDY HENRY 

Storing enterprise data across distributed SharePoint 
sites and other resources doesn't have to mean 
investing in an expensive utility to ease user navigation. 
Don't miss this session on using the inherent tools of 
SharePoint, both WSS and MOSS, that enhance 
navigation without causing redundant storage and 
added resource costs. Live demonstrations of Content 
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Query, Site Aggregation, Site Summary Links and Links 
Web Parts along with scenario-based illustrations of 
practical content type and Send To use will give even 
experienced SharePoint administrators solutions for 
improving user productivity without breaking the bank. 

HIT307: SharePoint's Virtual Reality; 

Best Practice Virtualization Options for 
a SharePoint Farm 

MICHAEL NOEL 

Server virtualization technologies have taken front 
stage recently and many organizations have begun 
to seriously contemplate replacing physical servers, 
including SharePoint servers, with virtualization 
technologies. This session focuses on real-world 
architecture and best-practice recommendations for 
incorporating SharePoint architecture into virtualized 
environments running with either Microsoft's Virtual 
Server 2005, Microsoft's Windows 2008 Hyper-V 
Virtualization, EMC's VMware Server, and Citrix 
XenApp products. In addition, special focus is placed 
on virtualization management and provisioning 
using tools such as System Center Virtual Machine 
Manager (VMM). The session also focuses on 
outlining which specific components of SharePoint 
operate well in a virtualized environment versus 
which ones are not necessarily good candidates. In 
addition, this session gives an in-depth look at 
real-world designs for SharePoint using both major 
virtualization products and outlining the strengths 
and weaknesses of each product in relation to 


SharePoint functionality and supportability. 

HIT308: The Ultimate SharePoint Best 
Practices Session: Lessons Learned from 
Years of SharePoint Deployments 

MICHAEL NOEL 

SharePoint 2007 has proven to be a technology that is 
remarkably easy to get running out of the box. On the 
flipside, however, some of the advanced configuration 
options with SharePoint are notoriously difficult to 
setup and configure, and a great deal of confusion 
exists regarding SharePoint best practice design, 
deployment, disaster recovery, and maintenance. 
This session covers best practices developed from years 
of SharePoint deployments, encompassing the most 
commonly asked questions regarding SharePoint 
infrastructure and design, and includes a broad range 
of critical but often overlooked items to consider 
when architecting or optimizing a new or existing 
SharePoint environment. In short, all of the specifics 
required to turn a SharePoint environment into the 
"perfect"farm are outlined. 

SharePoint Development 

HDV304: Automate Business Processes 
Using InfoPath Forms with Integrated 
SharePoint Designer Workflows... All 
Without Coding! 

ASIFREHMANI 

Forms and Workflows are essential to business processes. 
Companies usually rely on programmers to create the 


forms and workflows using code. Not any more! If 
you have access to Microsoft Office InfoPath and 
Microsoft Office SharePoint Designer, you can create 
powerful data-driven form solutions on your SharePoint 
sites. InfoPath gives you the ability to pull data from 
databases and lists, and create forms with data 
validation and conditional formatting. SharePoint 
Designer's workflows let you then design powerful 
multi-step workflows centered around the form 
collected data. In this session, you will see how to 
design a robust form using InfoPath and then design 
a workflow using SharePoint Designer to route this 
form appropriately. 

HDV307: Building SharePoint Applications 
for Outlook and Exchange 

ERIC MICHEL LEGAULT 
VSTO and other third-party development tools provide 
a powerful canvas to create highly professional 
SharePoint applications that integrate with Outlook 
and/or Exchange. This session will highlight the design 
capabilities of VSTO, Add-In Express and Redemption 
for creating Outlook COM Add-Ins or Windows Service 
applications and review development strategies for 
consuming/writing SharePoint/Outlook/Exchange 
data. Outlook examples will illustrate creating custom 
Task Panes, Folder View regions and Properties dialog 
tabs for building your presentation layer on top of 
SharePoint Web services. Server-side examples include 
building solutions to work with Outlook/Exchange data 
without requiring Outlook or Exchange to be installed. 
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HDV311: Building Information Policy 
Features in SharePoint Server 2007 

JOHN HOLLIDAY 
SharePoint Information Policy lets you define 
explicit rules that govern the creation, use and 
disposition of list items, and is implemented as a 
tightly-coupled collection of components that 
together provide an extensible framework for 
managing enterprise content. This session explains 
the information management policy architecture in 
detail and steps through the process of designing 
and building custom policy features and policy 
resources. An end-to-end solution is presented that 
illustrates how information policy definitions can 
be extended to work in tandem with code running 
in Office client applications. 

HDV309: Build Better Records Management 
Solutions Using Dynamic File Plans 

JOHN HOLLIDAY 

At the heart of any records management system is 
the File Plan, which describes where each type of 
record should be stored, how long it should be kept 
and the manner and conditions under which it will 
be archived or destroyed. Professional records 
managers and compliance officers are accustomed 
to creating file planning worksheets and then using 
them to manually configure records center sites in 
SharePoint. This session will go beyond the manual 
fi odel offered by static file plans toward a fi ore 
automated approach, where dynamic file plans are 
used to drive the process of adding the required 
elements into a records repository. An automated 
approach fits well with the day-to-day operations 
of a typical records center by enabling compliance 
officers and content managers to deal more 
effectively with constantly changing requirefi ents 
and regulations. During the session, I will create a 
SharePoint feature that adds a FilePlan gallery to a 
record center site that holds a collection of dynamic 
File Plan docufi ents represented as XML files created 
using InfoPath 2007. The feature will also deploy a 
custom application page that enables a plan 
administrator to "execute" the file plan, automatically 
creating all of the necessary routing types and other 
components needed to manage the documents 
described in the plan. 


HDV310: Building Custom Routers for 
SharePoint Records Management 

JOHN HOLLIDAY 
This session discusses developer aspects of 
Microsoft Office SharePoint Server 2007. Custom 
routers are an important extensibility point for 
records management and this session details the 
requirements for building these components. It 
provides a demo of building several different 
routers and deploying them into a SharePoint 
Server environment. During the session, I will 
create three different types of custom routers and 
use a custom SharePoint feature to deploy them. 

I'll create a filtering router to screen incoming 
records, a tracking router to monitor incoming 
records, and a redirecting router that determines 
the proper location for incoming records based on 
document properties and other metadata 
associated with the submitted file. In the process, I 
will highlight core features of the SharePoint 
record routing architecture, including the manage¬ 
ment of document properties, audit entries and 
content types. 

HDV315: Client-Side Programming in 
SharePoint Server 2010 

SCOT HILLIER 

SharePoint 2010 abstracts are under NDA until 
mid-August. Check the Web site for the updated 
abstract. 

HDV316: Creating RESTful Web Services 
for SharePoint 

SCOT HILLIER 

Windows Cofi fi unication Foundation (WCF) supports 
REST style services, which is an architecture for building 
resource-oriented services using standard HTTP verbs 
(GET, POST, PUT, and DELETE) that can be located 
through a URL In this sesion, we will learn to create 
RESTful Web services for SharePoint that access list 
items. The session will start with a brief overview of 
REST and how it is ifi plefi ented in WCF services. 
Next, the session will present the steps necessary to 
create a RESTful Web service that accesses list items 
in SharePoint. Finally, the session will go through 
the steps necessary to deploy a RESTful WCF service 
into Office SharePoint Server. 


HDV306: Report on Data from SharePoint 
Lists, Libraries and SQL Databases Using 
Data Views in SharePoint Designer 

ASIF REHMANI 

The SharePoint Designer Data View Web part is 
known as the "Swiss Army Knife" of all Web parts. 
Data View, which is only available through 
SharePoint Designer, can pull data from a variety of 
data sources including SharePoint lists and 
libraries, SQL databases, Web services, RSS feeds 
and more. This data can then be presented on any 
SharePoint page. The formatting of this data can 
also be manipulated to present a rich view of this 
data. In this session, you will see how easy it is to 
present unified views of data that are being 
fetched from a variety of data sources. 

HDV308: Enhancing Connected 
SharePoint Lists in Outlook 2007 

ERIC MICHEL LEGAULT 
It's really easy to link an Events, Contacts or Tasks 
list in WSS to Outlook 2007. But what if you had 
custom list fields or list views? These elements are 
not supported! But by using Visual Studio Tools for 
Office to build an Outlook COM Add-In consuming 
SharePoint Web services, you can easily design a 
custofi Forfi Region to display these custofi fields 
and provide options for importing list views into 
the linked Outlook folder. 

HDV312: Office Document Assembly Made 
Easy with OpenXML and XSLT 

JOHN HOLLIDAY 

The beauty of the OpenXML format is its ability 
to support multiple markup dialects like 
WordProcessingML, SpreadsheetML and 
PresentationML while still providing a consistent 
and reliable packaging structure. But this power 
often comes at the expense of application 
developers who need to produce complex 
documents in all three formats without spending 
inordinate amounts of time developing custom 
code for each one. XSL transformations (XSLT) 
offers a convenient fi echanisfi for solution 
developers to avoid writing procedural code to 
generate content from data retrieved from 
SharePoint lists or other data sources. 
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HDV301: Enterprise Content 
Management in SharePoint Server 2010 

ANDREW CONNELL 
SharePoint 2010 abstracts are under NDA until 
mid-August. Check the Web site for the updated 
abstract. 

HDV313: SharePoint and JQuery 
Sitting in a Tree... 

KEVIN ISRAEL 

So you want to really make people happy with 
SharePoint Ul treats combined with business 
objectives? Well let's mix in some JQuery and make 
them very happy. How do you do that you ask? Well 
come to this session and find out! We will cover 
configuring JQuery with SharePoint, review JQuery 
syntax, and show you how to start combining the 
power of JQuery with SharePoint. 

HDV314: PowerShell for MOSS Developers 
and Administrators 

MICHAEL BLUMENTHAL 
PowerShell, the ultimate in command shells for 
Windows, exposes all the richness of .NET right at 


the command line! Learn how to use this powerful 
tool for a variety of MOSS configuration, administra¬ 
tion, and customization needs. See how easy it is 
to work with the SharePoint object model without 
having to dive into Visual Studio! 

HDV317: External Data Access and 
SharePoint Server 2010 

SCOT HILLIER 

SharePoint 2010 abstracts are under NDA until 
mid-August. Check the Web site for the updated 
abstract. 

HDV305: Manage Your Business Data in 
Your Databases Using Data View Web 
Part... No Code Needed! 

ASIFREHMANI 

Managing content in the enterprise is one of the 
most crucial needs of a business. Until now, if you 
wanted to edit your data in the database through 
a web front end, it usually meant developing a 
solution using some sort of programming 
language. Things have changed! Now if you are a 
power user who has access to Microsoft Office 


SharePoint Designer 2007, you can tap into your 
data by implementing the Data View Web part. 
Using this functionality, you can tap into any of 
your backend databases and manage your data. 
This session will focus on how a knowledge worker 
can be empowered to create data management 
solutions using the Data View Web part. 

HDV302: SharePoint 2010 and Services 

ANDREW CONNELL 
SharePoint 2010 abstracts are under NDA until 
mid-August. Check the Web site for the updated 
abstract. 

HDV303: SharePoint 2010 Developer 
Overview 

ANDREW CONNELL 
SharePoint 2010 abstracts are under NDA until 
mid-August. Check the Web site for the updated 
abstract. 

HDV101: Social Networking and 
Collaboration in Outlook and SharePoint 

ERIC MICHEL LEGAULT 

This session will discuss and highlight the 
growing convergence of applications and 
development tools within Microsoft's 
collaborative software offerings that 
focus on Social Networking. Elements 
such as the SharePoint Server Colleague 
Import Add-In for Outlook and MOSS APIs 
for working with User Profiles provide the 
foundation for linking this data within 
Outlook. New development features in 
Outlook 2010 will allow custom solutions 
which leverage SharePoint collaboration 
to be brought to a higher level. Other 
software coming from Microsoft will 
provide an even greater framework for 
creating full-featured social networking 
applications that can leverage the entire 
breadth of Microsoft's collaboration suite. 
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EXC01: Accessing Exchange in the Cloud— 
What You Need to Know 

KIERAN MCCORRY 

This session, covering both Exchange 2007 and Exchange 
2010, outlines some of the best practices and inside 
information about truly accessing Exchange service 
in the cloud, highlighting the stress points in your 
infrastructure and where particular focus needs to 
be brought to bear. The session also outlines details 
of the Federation aspects of Exchange 2010. 

EXC02: Amaze Your Friends and Users with 
Global Address List Tips and Tricks 

JIM MCBEE 

For most organizations with Exchange, the Global 
Address List (GAL) becomes your company's corporate 
phone directory. Most Exchange administrators don't 
realize that you can further customize the GAL and do 
some very simple things that will make this resource even 
more valuable for your users. This intermediate session 
takes a look at some things you can do to customize 
the GAL including creating address lists, customizing 
details templates, defining "resource"objects, and 
creating a naming standard that helps with sorting. 

EXC03: CAS 2010—More Food for Thought 

KEVIN LAAHS 

The CAS role plays an even bigger role in your Exchange 
2010 environments than it does in Exchange 2007. 
Whilst it still supports the likes of OWA, ActiveSync, 
Web services and Outlook Anywhere, there are some 
fundamental architectural changes afoot that will 
change the way you architect your Exchange 
environments. In this session, we take a look at the 
major new functions that the CAS supports such as 
the Exchange Control Panel and Mapi-On-The-Middle 
Tier as well as all the exciting end user features that 
are delivered by the likes of OWA (even to Firefox 
and Safari browsers). 

EXC04: Designing Highly Available Solutions 

MICHAEL B. SMITH 

Shared disk is not the only answer to high availability 
in a Windows Server environment. In this session, 
we will cover the various options available for HA in 
Exchange Server and the process involved in getting 
from a non-HA solution to a HA solution. 


EXC05: E-mail Message Security Revisited 

JIM MCBEE 

The anonymous nature of SMTP makes Internet 
mail inherently secure and should make every 
message you receive subject to scrutiny. While 
e-mail is frequently cited as one of the most 
valuable business tools available today, it also 
remains an easy avenue for hackers, identity theft, 
and information loss. This session will review some 
technologies that are available today to help 
improve the security of e-mail that you send and 
receive as well as possibly helping you to ensure 
that the e-mail you send or receive is authentic. In 
this session, we will cover topics such as sender 
protection framework (SPF), S/MIME, and digital 
rights management and how these technologies 
may be similar or different. 

EXC07: Exchange 2010 and Virtualization 

DONALD LIVENGOOD 
Running Exchange roles on virtual machines (VM) 
is nothing new and it has been done for many years 
prior to Microsoft specifically supporting it. With 
Microsoft's official support for most Exchange roles 
on a VM, the introduction of Hyper-V, and the new 
version of Exchange 2010; interest in a VM 
deployment is at its peak. This session will cover 
some of the best practices in deploying Exchange 
2010 on a Hyper-V platform, compare and contrast 
the HA capabilities of Hyper-V & Exchange, and 
provide general guidelines for moving forward with 
an Exchange 2010 deployment on a Hyper-V 
platform. 

EXC08: Exchange 2010 Deployment and 
Migration Best Practices 

KIERAN MCCORRY 
Exchange 2010 is yet another version of Exchange. 
Its architecture and topology is similar to that 
introduced with Exchange 2007, but there are some 
important changes and restrictions on interoper¬ 
ability that any organization in the early stages of 
planning a move to Exchange 2010 should be aware 
of. This session will give an overview of the best 
practices for Exchange 2010 deployment and focus 
on the interoperability and migration aspects from 
previous versions of Exchange. 


November 9-12,2009 • Las Vegas, NV • WinConnections.com 13 



MICROSOFT 

r uAMrp UNIFIED 

V^rifM>IV7C COMMUNICATIONS 

0 p 3 I IS t C°X S 10101001010101000100001101001 <»Q 


CONFERENCE SESSIONS 


EXC09: Exchange 2010 HA and Database 
Availability Groups 

DONALD LIVENGOOD 
High Availability (HA) in Exchange 2010 is more 
powerful, yet less complex than in previous 
versions of the product. By extending the HA 
capabilities present in Exchange 2007, Exchange 
2010 provides a common framework for both HA 
and Disaster Recovery (DR). At the same time, 
features such as Single Copy Clusters have been 
removed, but then, so have previous limitations 
such as multi-server roles co-existing on servers 
providing HA. Many new concepts have been 
introduced such as the Database Availability 
Group, and even tried-and-true operations such as 
backups have evolved. This presentation will focus 
on the HA & DR features in Exchange 2010 and 
discuss the impact and changes these bring to 
deployment scenarios. 

EXC10: Exchange 2010 Information 
Protection and Retention 

KIERAN MCCORRY 
Exchange 2010 brings with it the most 
comprehensive set of Exchange features yet from 
Microsoft to help you safeguard and protect your 
data and where it goes in your Exchange 
organization. This new version has sophisticated 
rules for controlling information flows within the 
organization and taking actions when certain 
events occur. In addition, Exchange 2010 has a 
completely revamped model for information 
retention and archiving by means of the Online 
Archive. This session will describe those new 
features and explain what it means for you as a 
system administrator and your users as 
information workers. 

EXC11: Exchange 2010 Overview 

DONALD LIVENGOOD 
Exchange 2010 is the newest version of Microsoft's 
Messaging system and, naturally, it brings with it 
quite a lot of new features, functions, and 
capabilities. This session will provide a high-level 
overview of those features and functions and will 
conclude with some questions to consider before 
moving forward with Exchange 2010. 


EXC06: Exchange 2010 — Better with What? 

KEVIN LAAHS 

The "Wave 12" set of products (Office, OCS, 
SharePoint and Exchange 2007) had some pretty 
neat integration points such as being able to browse 
SharePoint libraries from OWA, take SharePoint lists 
offline through Outlook, and consume free/busy 
information in Communicator. Are all these 
integration points still available? What new 
opportunities exist when Exchange 2010 hits the 
streets and how will other forthcoming products 
likely leverage the Exchange 2010 platform? 

EXC12: Exchange Server 2007 
Management Shell Mini-Cookbook 

WILLIAM LEFKOVICS 
This session will look at a series of solutions for 
common Exchange issues using the EMS. You'll learn 
about such tasks as creating and testing Edge Server 
synchronizations, configuring OWA with the 
swiss-army-knife cmdlet Set-OWAConnectivity, 
managing databases and storage groups, and 
configuring users and distribution groups. Finally, 
we'll look at recipes for transport rules and 
anti-spam configuration. 

EXC13: Exchange Server: 

Your Top Questions Answered 

JIMMCBEE 

If you follow the Internet newsgroups or Web 
forums, you will begin to see a common thread 
amongst many of the questions. Administrators are 
frequently asking what are the best practices for 
running their Exchange Servers? What are the best 
tips and tricks for keeping Exchange Server running 
optimally? What should you be doing on a daily 
basis? Topics covered in this rapid-fire session will 
include Exchange security, MIME versus Rights 
Management (RMS), who should be worried about 
archiving and retention, performance optimization, 
spam fighting techniques, mobile device security, 
and more. 

EXC14: Extending Exchange 2010 

KEVIN LAAHS 

What options exist to extend the feature set that 
Exchange 2010 offers? In this session, we take a look 


at how you can build your own management 
utilities through PowerShell, how you can extend 
the SMTP transport engine and how you can 
leverage Exchange Web services to communicate 
with Exchange-based data in your own applica¬ 
tions. 

EXC15: Introduction to Developing with 
Exchange Web Services 

WILLIAM LEFKOVICS 
Exchange 2007 replaced several deprecated 
developer APIs to consolidate under the umbrella of 
Exchange Web Services. Exchange 2010 expands on 
that commitment, including an Exchange Web 
Services Managed API. We will take a high level 
view of what is possible with EWS including 
reporting, mailbox intelligence, and even creating 
your own e-mail client. 

EXC16: Migrating from Exchange 2003 

MICHAEL B. SMITH 
Exchange 2003 was a rock-solid implementation of 
Exchange Server. The day comes though, when it's 
time to move to a more current release of Exchange. 
In this session, we'll discuss the migration process 
from a design and deployment perspective with a 
emphasis on real-world concerns and problems that 
you may run into. 

EXC17: Migrating to Exchange 
High-Availability Solutions 

MICHAEL B. SMITH 
Replication is not the only way to have high 
availability in an Exchange environment. In this 
session, we will cover the various options available 
for HA in Exchange Server and the process involved 
in getting from a non-HA solution to a HA solution. 

EXC18: My Exchange 2007 Server Crashed! 
Now What Do I Do? 

WILLIAM LEFKOVICS 
It has been rumored that Exchange Server can fail, 
especially when the hardware beneath it fails and 
no high-availability solutions are deployed. What do 
you do when this happens? We will look at basic 
disaster recovery using the Recovery Storage group 
and a dial tone restore to get users back online as 
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fast as possible. We will look at the impact of Cached 
Exchange Mode as well. We will try to create a 
formal checklist for those SMBs who depend on 
their single server deployments. 

EXC19: No SCOM? No MOM? 

You Still Have a PAL 

WILLIAM LEFKOVICS 
Not every company can or wants to deploy SCOM 
(formerly MOM) to manage and monitor their server 
deployments. Windows comes with a basic tool 
called, or at least known as, Performance Monitor. 
Exchange 2007 Server adds a plethora of perfmon 
counters for each role. PAL, Microsoft's free 
Performance Analyzer tool, will help you create 
charts (in HTML—managers love charts) for 
management and monitoring from perfmon logs of 
key Exchange counters. We will walk through the 
requirements (Office Web components, Log Parser, 
Codeplex) and configuration (XML config files) to 
produce a simple monitoring solution. 

EXC20: The Microsoft UC Voice Story 

LEE MACKEY 

Now that Microsoft has entered the voice world, 
how does a Microsoft administrator begin on their 
UC journey? What are the questions that you need to 
know, and how do you successfully win over the 
telephony and security groups? What are the 
questions to ask to have a successful deployment for 
Voice, and how do you tie Microsoft UC into all of 
the Voice pieces you may or may not have in your 
company? This session will get you started on that 
UC Voice journey and get you armed with the right 
questions for success. 


EXC26: The Exchange Server Store 
Demystified, Part 1 

PETER O'DOWD 

So just how does the Exchange Store work? 
Understanding this is critical to improve your 
chances of recovery from a disaster. Find out 
how, with topics including: Log files and 
database signatures; correct use of eseutil; 
checkpoint depth; missing log files; why have 
storage groups, why aren't they in Exchange 
2010? What is in the header of a database, why 
do I care? Peter has travelled the globe teaching 
both inside and outside of Microsoft on this 
topic. If you want to understand the store then 
this is your session. 


extend applications with UC and shorten the 
sales cycle, shorten decision times, and 
improve business processes? This session will 
cover why UC is important to you and your 
company, and the types of conversations you 
want to have with management in order to 
save money and do more with less. 


EXC22: The OCS R2 UC Device Story 

LEE MACKEY 

This session will cover all of the UC devices from 
Microsoft, Jabra, Polycom, LG Nortel, and others 
that are used today for OCS and Exchange. The 
session will go over the different scenarios where 
they are best deployed, as well as walking through 
configurations for users. It's critical to understand 
how UC devices can help you as an administrator in a 
UC deployment as well as save money and win over 
end users. Why buy a desk phone when you don't 
need one? We'll also be covering new devices from a 
number of new vendors as well as showing demos of 
the hardware in action. This will help you as a 
Microsoft OCS Admin to determine how to size and 
select the devices your different end users will need. 


EXC23: VSS and the Exchange Administrator 

MICHAEL B. SMITH 
VSS is the mechanism used by Exchange 2007 and 
above for taking backups (and is supported by 
Exchange 2003). In this session we will take a deep 
dive into the details of VSS and how it works with 
Exchange. The Exchange administrator will also 
learn how to use VSS snapshots and backups as 
Recovery Storage Group targets. 


session will explore the most useful of these 
counters and look at acceptable maximum or 
minimum values. We will also cover best practices 
when monitoring Windows and Exchange server as 
well as topics such as understanding how to monitor 
disk subsystems and disk I/Os per second (I0PS). 


EXC21: The OCS R2 Story 

LEE MACKEY 


EXC24: Zen and the Art of Exchange 
Performance Monitoring 

JIM MCBEE 


EXC26: The Exchange Server Store 
Demystified, Part 2 

PETER O'DOWD 


As Microsoft releases OCS R2 and Exchange 2010, 
how do these products work better together and 
how do you implement them to save money and do 
more with less? Most of the time, the requirement 
to do more with less is one of the most difficult chal¬ 
lenges we face as admins. So how do you convince 
management to move forward on a UC journey and 
what types of things can you do to make 
improvements on day to day business? How do you 


One of the most powerful tools in the Exchange 
administrator's arsenal is the Windows Performance 
console. The Performance console includes the 
System Monitor tool and the Performance Logs and 
Alerts tool. These allow you to either view in 
real-time or record performance activity on a 
Windows server. However, even if you limit your 
scope to just counters installed for Exchange Server, 
there are literally thousands of these counters. This 


This is a continuation on from the first ses¬ 
sion. Now that we understand the pieces of what 
makes up a store. Let's look at how Exchange 
Server 2003, Exchange Server 2007, and Exchange 
Server 20 re schema, backups and other store 
technologies. Peter has travelled the globe 
teaching both inside and outside of Microsoft on 
this topic. If you want to understand the store 
then this is your session. 


November 9-12,2009 • Las Vegas, NV • WinConnections.com 15 






NOVEMBER 9,2009 


Pre-Conference Workshop • WINDOWS 

WPR301: Group Policy Essentials, 
Security, and Best Practices (9AM - 12PM) 

JEREMY MOSKOWITZ 

Additional Fee: $199 

Group Policy is the most efficient way to manage 
desktops in a Windows environment. If you are still 
running to machines to install and configure desktops, 
you are not taking full advantage of the power of Group 
Policy. In this practical workshop, Jeremy Moskowitz will 
help you gain control of your XP, Vista and Windows 7 
environment and get your life back. This is the perfect 
workshop to take before doing "deep dives" into the 
main sessions of the conference. You'll get a little bit of 
everything: essentials, configuration, control, and 
security! Well warm up with some Group Policy basics. 
Then, you'll learn how to get your XP, Vista and Windows 
7 client machines humming with some new life. Jeremy 
will show you how to manage your environment with 
GPOs. You'll get some"solid base hits"to ensure you can 
go back to work with some good ideas you can 
immediately put to use. For instance, learn how to zap 
printers down to your computers, and remotely deploy 
software to your users'desktops, and learn how to use 
Group Policy to secure collections of machines. You'll 
also get an overview of the Group Policy Prefer¬ 
ences—21 tools to help you get you out of login-script 
hell. We'll examine how Group Policy can do the heavy 
lifting to the jobs you want to do! This session has XP, 
Vista and Windows 7 content. (NOTE: Some material is 
repeated in Jeremy's regular sessions as reinforcement.) 

WPR302: Implementing Server Virtual¬ 
ization in Your Company (1 PM - 4PM) 

ALAN SUGANO 

Additional Fee: $199 

This workshop will give you the information to formulate 
a virtualization strategy for your company. It will cover 
the basics of virtualization including server hardware 
configuration, virtualization software, and tips to identify 
physical servers that are good virtual server candidates. 
We'll examine migration strategies from the physical to 
the virtual world, backup strategies for your virtual server 
hosts and guests, high availability solutions using 
Microsoft Clustering and Virtual Server 2005/Hyper-V 


and ESX Server with High Availability, virtualizing Server 
2008 and tips for incorporating virtualization into your 
disaster recovery plan. There is a definite learning curve 
with the virtualization. Learn where the potential pitfalls 
are and how to avoid them when implementing this new 
technology. When properly implemented, virtualization 
has the potential to save on hardware costs, simplify 
server management, ease bare metal restores and 
provide high availability for your server infrastructure. 

HPR303: SharePoint Jump Start: 
Reimagining Collaboration (9AM - 4PM) 

DAN HOLME 

Additional Fee: $399 

If you are new to SharePoint, or are trying to wrap your 
head around the massive potential of this powerful 
platform, you'll be the hero of your enterprise when you 
bring back the solutions you discover in this fast-paced, 
full-day preconference workshop. Dan Holme, a Microsoft 
MVP for SharePoint, will dive deep into the configuration, 
customization, and management of SharePoint 
collaboration. You'll learn to build SharePoint solutions 
that address common enterprise challenges, and you'll be 
amazed just how much you can do with Windows 
SharePoint Services (WSS) without having to pay for 
Microsoft Office SharePoint Server (MOSS). Topics include: 

• SharePoint Administration Jump-Start: What you need 
to know to administer SharePoint effectively, in 90 
minutes or less. 

• How to use SharePoint document libraries as a 
replacement for traditional file shares. 

• Driving effective collaboration and end-user 
adoption with Microsoft Office 2007 applications as 
SharePoint clients. 

• How to build "Business Intelligence Lite", no-code, 
and low-code SharePoint solutions using Office 2007 
and SharePoint Designer. 

HPR301: SharePoint Bl - Building 
Dazzling Dashboards and Sizzling 
Scorecards in SharePoint (9AM - 4PM) 

KEVIN ISRAEL AND JESSICA MOSS 

Additional Fee: $399 

Data everywhere and not a dashboard to be found! This 
workshop gives you the lowdown, hands-on approach 
to building those amazing SharePoint dashboards and 
scorecards that we have been hearing about. This 
session covers how to get to and aggregate that data, 


then utilize Bl tools such as PerformancePoint to build 
intelligent dashboards on top of it. 

EPR301: Building Your Own User 
Provisioning System (BRING YOUR OWN 
LAPTOP) (9AM-4PM) 

MICHAEL B. SMITH 

Additional Fee: $399 

Prior to the release of PowerShell, going through the 
various machinations required to provision and modify 
users drove many organizations to purchase third-party 
solutions or stick with the tried-and-true Active 
Directory Users and Computers. 

In this workshop, we will design and implement a 
GUI-based provisioning tool built in PowerShell.The user 
will also receive a short but intense introduction to the 
Windows GUI processing paradigm and investigate a 
couple of GUI tools that are available for PowerShell. 

Bring your own laptop and take home your own working 
code. A basic knowledge of PowerShell is required! 


NOVEMBER 13, 2009 


Post-Conference Workshop • WINDOWS 

EPS301: Exchange 2010, a Unified 
Communications Odyssey 
(9:00AM-4:00PM) 

WADEWARE - PETER O'DOWD, 

LEE BENJAMIN 

Additional Fee: $449 

Take this one-day journey through Microsoft Exchange 
Server 2010 and experience its new and improved 
features. Let the MVP team of Peter O'Dowd and Lee 
Benjamin lead you through hands-on-labs, including: 

• Archiving —yes, now available out of the box. 

• Mailtips —find out if your recipient isn't available 
before sending the message. 

• Exchange Control Panel —Where users can 
manage their directory data and groups. 

• Role Based Access Control —Allows different types 
of users to search for different types of content across 
the organization. 

• Information Leakage and Protection —Transport 
rules and Rights Management Server unite. 

• Database Availability Groups —The new HA. No 
longer does a database need be associated with a 
single server. 

• Unified Messaging —Try the new voice to text 
translation, dial plans, and more... 
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This instructor led hands-on-lab experience will get 
you deep into Exchange and guide you through these 
features, showing you how they are configured and 
how they can be used to improve your organization's 
Unified Communications platform. 

WPS301: The Desktop Is Disappearing: 
Reimagining Cost, Deployment, Security 
and Support (9AM-4PM) 

DAN HOLME 

Additional Fee: $399 

The desktop is an endangered species. In this age of 
remote desktop, thin clients, laptops, mobility, and 
desktop and application virtualization, your enterprise 
must re-imagine how you architect and deliver the 
end user experience. This session aims at an 
"appliance" approach to desktops, so that the "image" 


applications, data and settings are managed so that 
users and budgets are liberated from the constraints of 
the "one user, one PC" model of the past. Unfortu¬ 
nately, the number of moving parts makes this a 
complicated endeavor. Dive deep into a discussion of 
the requirements, the solutions, and the best practices 
that you can apply to automate, provision, secure, and 
support the transition to a world where the desktop is 
a toaster, and perhaps a virtual toaster at that! This 
session will cover: 

• Deployment Blast Through: A rapid-fire, practical 
guide to automating deployment with the Microsoft 
Deployment Toolkit and Windows Deployment Services. 

• Provisioning Applications and Configuration: 
Workflows, tricks, and tools to provision applications 
to users effectively, whether you use SCCM, another 
management tool, or the "do it yourself" application 
management tools you'll learn to build. 


• Data Anywhere: A deep dive into the complexities 
of providing users consistent and reliable access to 
their data and settings regardless of whether they 
are on a connected, disconnected, or virtual device. 

• Support and Administration: Tricks and scripts for 
improving and provisioning secure, automated, and 
responsive support for the end user experience. 

• The Business Side of Deployment and Support: 
Guidance towards the business-level efforts required to 
transition to the locked down, mobile, and virtual world. 

HPS301: Developers Deep Dive to 
SharePoint Server 2010 (9AM-4PM) 

ANDREW CONNELL 

Additional Fee: $399 

SharePoint 2010 abstracts are under NDA until 

mid-August. Check the Web site for the updated abstract. 


A unique opportunity to get your technology and training 
from Microsoft and industry experts! 



TY CHRIS LEE MICHAEL QUENTIN 

ANDERSON AVIS BENJAMIN BLUMENTHAL CLARK 

Cogent Company, LLC Microsoft MagenicTechnologies Microsoft 



SCOTT WENDY SCOT HILLIER JOHN HOLLIDAY DAN 

GUTHRIE HENRY Scot Hillier John Holliday & HOLME 

Microsoft SharePoint-eLeaming.com technical Solutions, Associates, Inc. Intelliem, Inc. 



LEE JIM KIERAN DAVE MARKMINASI 

MACKEY MCBEE MCCORRY MENDLEN Minasi Research & 

HP Ithicos Solutions HP Microsoft Development 



ASIF STEVE TOM JOHN MICHAEL B. 

REHMANI RILEY RIZZO SAVILL SMITH 

SharePoint-eLeaming.com Microsoft EMC The Essential Exchange 



ANDREW 

CONNELL 

Critical Path Training, LLC 



KEVIN 

ISRAEL 

Ironworks Consulting 



ROSS 

MISTRY 


Convergent Computing 



ALAN 

SUGANO 

ADS Consulting Group 



SEAN 
DEUBY 
Advaiya Inc. 




JEREMY 
MOSKOWITZ 
Moskowitz, Inc 



STEVE 

FOX 

Microsoft 


id/i 


WILLIAM 
LEFKOVICS 
Mojave Media Group, LLC 



JESSICA M. 
MOSS 


Solid Quality Mentors 




MICHAEL 

NOEL 

Convergent Computing 



PETER 

O'DOWD 

Blade/Wadeware 


And many more... 

Check our Web site as we continue to 
update it with speaker pictures and bios! 
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HOTEL INFORMATION 


November 9-12,2009 

Las Vegas, Nevada 

Mandalay Bay Resort and Casino 


HOTEL ACCOMODATIONS 

Mandalay Bay Resort and Casino, 3950 Las Vegas Blvd. South 
Las Vegas, Nevada, is the conference site and host hotel. SPACE 
IS LIMITED so reserve your room early by calling the conference 
hotline at 800/505-1201 or 203/268-3204. 

Reserver your room early to take 
advantage of great hotel discounts! 



AIRLINE 

Please call PericasTravel at 203/562-6668 for 
airline reservations. 

CAR RENTAL 

Hertz is offering auto rental discounts to attendees. Call the 
Hertz Meeting Desk at 800/654-2240 for reservations and refer 
to code CV#010R0039 (Hertz) under Connections Vegas to 
receive your attendee discount. 

ATTIRE 

The recommended dress for the conference is casual and 
comfortable. Please bring along a sweater or jacket, as the 
ballrooms can get cool with the hotel's air conditioning. 

TAX DEDUCTION 

Your attendance to a WinConnections conference may be 
tax deductible. Visit www.irs.ustreas.gov. Look for topic 
513 - Educational Expenses. You may be able to deduct the 
conference fee if you undertake to (1) maintain or improve 
skills required in your present job; (2) fulfill an employment 
condition mandated by your employer to keep your salary, 
status, or job. 

SPONSORSHIP/EXHIBIT 

INFORMATION 

For sponsorship information, contact: Rod Dunlap 

Phone: 480-917-3527 

e-mail: rod@devconnections.com 

See Web site for more details. www.WinConnections.com 


GROUP DISCOUNT 

Register individuals from one 
company at the same time and 
receive a group discount. 

Call 800/505-1201 to take 
advantage of group discount pricing 

SHOW DISCOUNT 

Book 3 nights by September 1st at Mandalay Bay and receive a 
$100 Mandalay Bay certificate. Book NOW to get a special rate of $149 
(a limited number of rooms at this rate so reserve today). 

NOTES & POLICIES 

The Conference Producers reserve the right to cancel the conference by refunding the registration fee. Producers can 
substitute speakers and topics and cancel sessions without notice or obligation. Updates will be posted on our Web 
site at www.WinConnections.com.Tape recording, photography is not allowed at any session. Conference produc¬ 
ers will be taking candid pictures of events and reserve the right to reproduce. By attending this conference you 
agree to this policy. You may transfer this registration to a colleague by notifying us before the start of the event. 
Please inform us if you have any special needs or dietary restrictions when you register. 

The conference registration includes the following subscriptions. This is not an additional expense and subtrac¬ 
tion from prices listed is not permissible. Windows and Exchange Connections conference registration includes 
a one year (12 issues) print subscription to Windows IT Pro magazine for Windows and Exchange Connections 
conference attendees only. Current subscribers will have an additional 12-months added to their subscription. 
Subscriptions outside of the United States and Canada will be served in digital; $12.50 of the funds will be 
allocated toward a subscription to Windows IT Pro magazine ($49.95 value). 

Registration & Cancellation Policy: Registrations are not confirmed until payment is received. Cancellations before 
September 29th, 2009 must be received in writing and will be refunded minus a $100 processing fee. After 
September 29th, 2009 cancellations and no shows are liable for full registration, it can be transferred to the next 
WinConnections Conference within 12 months or to another person. Microsoft, Microsoft .NET, ASPNET, Visual Studio. 
NET, C#, Microsoft SQL Server, MSDN, Exchange and Windows are either trademarks or registered trademarks of 
Microsoft Corporation. All other trademarks are property of their owners. 


1-3 registrants 

$1,595 per person 

Additional registrants 
after the 3rd 

(4th, 5th, 6th...) 

$1,395 per person 

($200 off each) 


I 
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CONFERENCE REGISTRATION • NOVEMBER 9-12, 2009 


Name 


Priority code 

Company 


Title 

Street Address (Required to ship materials) 

City, State, Postal Code 


Country 

Telephone 

Fax 

E-mail Address (important) 


ONLINE 

www.WinConnections.com 

E-MAIL 

info@devconnections.com 

PHONE 

800/505-1201 *203/268-3204 

FAX 

203/261-3884 

MAIL 

Microsoft Exchange Connections 2009 
SharePoint Connections 2009 
Windows Connections 2009 
c/o Tech Conferences, Inc. 

731 Main Street, Suite C-3 
Monroe, CT 06468 


WINCONNECTIONS CONFERENCES For which conference are you registering? 

PRICE 

SUBTOTAL 

on or before September 1,2009 

$1495.00 


after September 1,2009 

$1595.00 


For which conference are you registering? 


PRE-CONFERENCE WORKSHOPS | Monday, Nov. 9,2009 | Lunch is included with full day workshops 

9:00am- 12:00pm 

Group Policy Essentials, Security, and Best Practices —Moskowitz 

$199.00 


1:00pm-4:00pm 

Implementing Server Virtualization in Your Company —Sugano 

$199.00 


9:00am-4:00pm 

SharePoint Jump Start: Reimagining Collaboration —Holme 

$399.00 


9:00am-4:00pm 

SharePoint Bl - Building Dazzling Dashboards and Sizzling Scorecards in SharePoint —Israel/Moss 

$399.00 


9:00am-4:00pm 

Building Your Own User Provisioning System in PowerShell (BRING YOUR OWN LAPTOP) —Smith 

$399.00 


POST-CONFERENCE WORKSHOPS | Friday, Nov. 13,2009 | Lunch is included with full day workshops 

9:00am-4:00pm 

The Desktop Is Disappearing: Reimagining Cost, Deployment, Security and Support —Holme 

$399.00 


9:00am-4:00pm 

Developers Deep Dive to SharePoint Server 2010 —Connell 

$399.00 


9:00am-4:00pm 

Exchange 2010, a Unified Communications Odyssey —O'Dowd/Benjamin 

$449.00 


CONFERENCE MATERIALS 

FULL CONFERENCE REGISTRATION INCLUDES MATERIALS FORTHE CONFERENCE FOR WHICH YOU REGISTER; YOU MAY PURCHASE MATERIALS FOR THE OTHER CONCURRENTLY RUN EVENTS. 

Windows Connections CD 

$75.00 


SharePoint Connections CD 

$75.00 


Microsoft Exchange Connections CD 

$75.00 



PAYMENT TOTAL 


IMPORTANT: You must reference Microsoft Exchange Connections, SharePoint Connections or Windows Connections on your check. 

□ CHECK (payable to Tech Conferences) All payments must be in US currency. Checks must be drawn on a US bank. 

□ VISA □ MASTERCARD □ AMEX 


Cardholder's Signature 


Cardholder's Name (rint) 
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Introducing 


by Jan De Clercq 



Establishing 
order in the 
identity 
jungle 


W hile using Windows Vista, you might have 
noticed a new Control Panel applet called Win¬ 
dows CardSpace and wondered what it's for. 
Windows CardSpace is a brand-new client-side 
identity-management tool that lets you create 
and manage personal information cards, or 
InfoCards. These InfoCards are digitally signed XML constructs that 
you can use to identify yourself to CardSpace-enabled websites. 

CardSpace is part of Microsoft's Identity Metasystem, the com¬ 
pany's Internet-centric vision for identity management. With the 
Identity Metasystem, Microsoft abandons the notion of a univer¬ 
sal and single-user identity for the Internet. Remember the early 
days of Microsoft Passport? Instead, Microsoft now focuses on the 
creation of a universal framework that can connect existing and 
future identity-management systems and provide interoperability 
between these disparate systems. For a broader introduction to the 
Identity Metasystem, see the Microsoft article "Microsoft's Vision 
for an Identity Metasystem'' (msdn.microsoft.com/en-us/library/ 
ms996422.aspx). 

Let's take a look at CardSpace and its interface and begin to 
understand the value of what CardSpace can provide the average 
Windows user. Let's also see what happens behind the CardSpace 
scenes. 


What CardSpace Can Do 

CardSpace offers a user-friendly and secure alternative to using 
simple usernames and passwords for identification and authentica¬ 
tion on the Internet. Even though usernames/passwords are still the 
prevailing identification and authentication paradigm on the Inter¬ 
net, they have many weaknesses. Many users wrestle with password 
fatigue. They have to deal with too many passwords—a situation 
that results in password reuse, insecure passwords, and forgotten 
passwords. Bad password-management practices also create more 
opportunities for malicious users. Add to that the increasing num¬ 
ber of password thefts through counterfeit websites and man-in- 
the-middle attacks, and you understand why usernames/passwords 
are far from an ideal solution. 

CardSpace can resolve those problems. Users with InfoCards 
no longer need to remember various username/password com¬ 
binations; they can simply select an InfoCard from the CardSpace 
interface to identify themselves to CardSpace-enabled websites. 
InfoCards are also more secure than passwords because they're 
securely stored and sent across the network through strong 
Advanced Encryption Standard (AES) cryptography. 

There are always three participants in a CardSpace interaction: 
the user, an identity provider, and a relying party. The user controls 
all interactions that involve his or her InfoCards. He or she chooses 
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Figure 1: Website identity verification 


which InfoCards to create and which to use 
for identifying to a given website. 

Identity Providers issue InfoCards to 
users. For example, businesses can issue 
identities to their customers, and orga¬ 
nizations can vouch for the identities of 
their employees. InfoCards that businesses, 
online services, organizations, or govern¬ 
ments issue are called managed InfoCards. 
Managed InfoCards are site-, organiza¬ 
tion-, or business-specific. They're issued by 
third-party identity providers that might— 
depending on usage—charge the user for 
issuing the InfoCard. An InfoCard provides 
claims about a person on the person's 
behalf. A claim is the Identity Metasystem 
term for facts or statements about a user. 
The name and gender of a user, or proof that 
a user's identity has been verified by a cer¬ 
tain authentication authority, are examples 
of claims that can be stored in a managed 
InfoCard. In terms of vouching for a user's 
identity, InfoCards are comparable to the 
SSL certificates we use today for identifying 
ourselves to websites. 

But individuals can also be their own 
proper identity provider and issue their 
own proper InfoCards, which are called 
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self-issued InfoCards. As opposed to man¬ 
aged InfoCards, self-issued InfoCards are 
general-purpose and can be used against 
various applications and/or websites. Not 
all websites and applications accept self- 
issued InfoCards. As part of the CardSpace 
exchange, a website might require that a 
user's InfoCard be a managed card issued 
by a trusted identity provider such as the 
VeriSign Certification Authority (CA). 

Finally, relying parties accept and con¬ 
sume the InfoCards that a user provides. 
These are typically websites that use Info¬ 
Cards to identify and/or authenticate users or 
to personalize web content. 

The CardSpace Interface 

CardSpace stores references to users' dif¬ 
ferent digital identities and presents these 
to users as visually attractive InfoCards. In 
Identity Metasystem-speak, CardSpace is 
also referred to as an Identity Selector: It 
provides a nice interface that lets people 
easily select and use their different identities 
in applications and on websites. 

To play around with the CardSpace 
interface, you can simply log on to a 
CardSpace-enabled website. Examples of 

We're in IT with You 


CardSpace-enabled sites are signon.com 
or Kim Cameron's Identity Weblog (www 
.identityblog.com)—Kim is the author of 
The Laws of Identity project. At the top right 
corner of this website, you'll notice the 
CardSpace logon icon (the purple "i" inside 
a purple rectangle). 

When you click the icon—and if it's 
the first time you're using CardSpace on 
this website—the Do you want to send a 
card to this site? dialog box that you see 
in Figure 1 appears. This dialog box lets 
you identify the website prior to sending 
one of your personal InfoCards to the site. 
From the Tasks pane on the right, you can 
view the website's X.509 certificate details 
or check the site's privacy statement. This 
illustrates a key security advantage of the 
CardSpace system: server authentication. 
Server authentication is also one of the rea¬ 
sons why CardSpace can better protect users 
from phishing. Phishing attacks consist of 
malicious attempts to acquire sensitive user 
information such as usernames, passwords, 
and credit card details by masquerading as a 
trustworthy entity. 

Based on the trust you have in the site's 
identity information, you can then decide 


www.windowsitpro.com 















WINDOWS CARDS PACE ■ 


' W i n d c ws Card Spa c e 

0 Edit a new card 


El KM 


Tasks 


The details cf this personal card indicate what data will be sent to the site. You can change she data, 
name and picture for this card. 


Personalize this card: 
Card Name: 

Image File: 
Required data: 

First Name: 

Last Name: 

Email Address: 


What data should I 
include on my card? 
Help 



Jan cn the web 


Cheese Picture.. 


Personal Card 


Jan 


De Uercq 


jan.declercq^hp.coni 
Check "Include optional data" to send this optional data: 
Web Page: 


L] Include optional data 


Figure 2: Creating a self-issued InfoCard 

to select one of your personal InfoCards (by 
clicking the Yes, choose a card to send option) 
or to stop the CardSpace exchange (by click¬ 
ing the No, return to the site option). 

If you want to proceed with the Card- 
Space exchange (and this is the first time 
you're using CardSpace on your system), 
you'll see the Create a card to send to screen, 
from which you can choose to create a per¬ 
sonal card (i.e., a self-issued card) or install 
a managed card. 

If you decide to create a personal card, 
you'll see the Edit a new card dialog box, 
which Figure 2 shows. Here, you provide a 
name for your new InfoCard, select an icon 
or picture to represent the InfoCard, and 
enter the values for a number of attributes 
that the InfoCard will store. When you create 
a new InfoCard to identify yourself to a web¬ 
site, CardSpace marks the attribute fields 
that the site requires in red. These represent 
the claims a website wants to get from the 
user before he or she is allowed access to the 
site's content. 


Windows CardSpace 

Q) Choose a card to send to: www.identityblog.com 

To see or edit card data before you send it. select a card and then click Preview. To create a new card, 
click Add a card. 


TWl^bl 


Duplicate card 
Delete card 



Add a card 
Back up cards 
Restore cards 
Preferences 

Delete all cards 

Which card should I 
send? 

Help 

Learn more about this 
site 


Figure 3: Selecting an InfoCard 

If you choose to install a managed card, 
CardSpace prompts you to provide a Man¬ 
aged Card Information file (i.e., a file with a 
.crd extension). 

If you have used CardSpace before 
(meaning your CardSpace store already 
contains InfoCards), you'll see the Choose a 
card to send to screen, which displays Info¬ 
Cards currently available on your system, 
as you see in Figure 3. These include both 
self-issued and managed InfoCards. 

To determine the exact details an Info¬ 
Card holds, you can select the card and click 


the Preview button. If you've used a particu¬ 
lar InfoCard before, the preview screen will 
also contain card-use history and creation 
date, as Figure 4, page 40, shows. 

Besides displaying all the card data, 
the details screen also lets you set an 
important optional InfoCard property: a 
PIN. This is a security feature that adds 
one more level of security to an InfoCard. 
In the Tasks pane of the Card Details dia¬ 
log box, you'll find a Lock this card option. 
When you choose to lock a card, you're 
prompted to enter a PIN. Afterward, each 
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Figure 4: Verifying InfoCard details and history 


time you want to access or use the Info- 
Card, you'll be requested to enter the PIN. 
Locking InfoCards is an interesting option 
for shared computer systems, and in situ¬ 
ations in which a card contains personal 
information or identifies the user to spe¬ 
cial websites such as online banking sites. 
Organizations that want an even higher 
level of security for securing access to their 
users' InfoCards can require the presence 
of a certificate that is securely stored on a 
smart card. This means that prior to using 
and accessing the InfoCard, the user must 
insert the correct smart card and authen¬ 
ticate to it using the smart card PIN. 

When the user selects a managed card, 
the CardSpace software contacts the issuer 
of the InfoCard (i.e., the identity provider) 
to obtain a digitally signed XML token that 
contains the requested claims. 

Under the Hood 

CardSpace is installed by default on Win¬ 
dows Vista. It's available as a download for 
Windows XP and Windows Server 2003 
via Windows Update. To confirm that Win¬ 
dows CardSpace is installed on your system, 
open Control Panel and look for the Win¬ 
dows CardSpace applet, or look for the 
Windows CardSpace service in the Services 
section ofthe MicrosoftManagementConsole 
(MMC) Computer Management snap-in. 

Windows CardSpace is also bundled with 
the .NET Framework 3.0 and later versions, 
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which runs on Windows Server 2008, Vista, 
XP, and Windows 2003; .NET Framework 3.0 
is bundled with—but not installed by default 
on—Server 2008. So, the easiest way to add 
CardSpace support to Server 2008 is to install 
.NET Framework 3.0 Features. 

To use CardSpace, you also need a 
compatible web browser. Internet Explorer 
7 (IE 7) supports CardSpace natively, and 
third parties provide support to integrate 
CardSpace functionality into other browser 
platforms. For example, you can find a Card- 
Space plug-in for Firefox at the CodePlex 
IdentitySelector page (www.codeplex.com/ 
IdentitySelector). 

Microsoft built Windows CardSpace atop 
the Web Services protocol stack (WS-*), an 
open set of XML-based protocols for web 
service communication. Any application or 
platform that supports WS-* protocols can 
integrate with CardSpace. For more infor¬ 
mation about the WS-* specifications, see 
the Microsoft article "Web Services Specifi¬ 
cations Index Page” (msdn.microsoft.com/ 
en-us/library/ms951274.aspx). 

To accept InfoCards on a website, a 
developer must add HTML tags to the web 
content that specify the user claims that 
the site requires. The developer must also 
implement code on the web server that 
decrypts the InfoCards and extracts the user 
claims. A quick Internet search yields code 
examples to integrate InfoCard not only 
with Microsoft-based websites but also with 

We're in IT with You 


other web application servers—for example, 
Apache. 

If an identity provider wants to provide 
managed InfoCards to users, it must have 
a Security Token Service (STS). An STS is a 
security authority that can create managed 
InfoCards. An identity provider that doesn't 
want to build its own STS can buy one 
from vendors such as Ping Identity (www 
.pingidentity.com). Another option is to 
wait for the release of Microsoft's Fed¬ 
erated Identity Server (code-named 
Geneva), which will provide an Identity 
Metasystem-compliant STS that can inter¬ 
face with CardSpace. Consider Geneva as 
the next evolution of Microsoft's Active 
Directory Federation Services (ADFS), 
which is bundled with Server 2008 and 
Windows 2003. 

A little more about interoperability: 
CardSpace and the Identity Metasystem 
can deal with various security token for¬ 
mats, which explains why CardSpace 
shouldn't be considered a competitor to 
other Internet-identity architectures such 
as OpenID and Microsoft's Windows Live 
ID. You can use CardSpace InfoCards to 
sign in with your OpenID or Windows 
Live ID account. To link an InfoCard to 
your OpenID account, visit SignOn.com 
(www.signon.com). To link an InfoCard 
to your Windows Live ID account, go 
to login.live.com/beta/managecards 
. srf?wa=wsignin 1.0&wreply=http: / / www 
.live.com&w=500. 

Secure Alternative 

Through its user-friendly interface and 
its secure architecture, CardSpace offers 
a valuable alternative to the classic user¬ 
name/password scheme and puts users 
back in control of their identity interac¬ 
tions on the Internet. The widespread 
adoption and success of CardSpace will 
largely depend on the number of websites 
and applications that support it. ^ 
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S ometimes it's necessary to reboot computers in an Active Directory (AD) 
domain or organizational unit (OU). For example, if you use a Group Policy 
Object (GPO) to deploy software to computers, Group Policy won't install 
the software until the computers reboot. Or, you might need to reboot some 
computers after installing a security patch or when you run a computer 
startup script. Whatever the reason, rebooting multiple computers is a com¬ 
mon administrative task that a script can accomplish. 

Because I often have to reboot multiple computers, I decided to create a scripting solu¬ 
tion that would: 

1. Create a list of computers. 

2. Reboot each computer in the list. 

3. Report on the success or failure of each reboot. 

I first investigated using Windows' built-in command-line tools in the scripting solution. 
The Dsquery Computer command can produce a list of computers, and the Shutdown com¬ 
mand can reboot a remote computer. However, these commands have some limitations. 
First, each computer name in the Dsquery Computer command's output ends with the $ 
character and is enclosed in double quotes, so my script would have to perform extra string 
manipulation to extract just the computer names. Second, the Shutdown command wasn't 
designed with automation in mind, so it's difficult to get its results into a readable format. 

I then thought of writing a Windows Script Host (WSH) script that would use ActiveX 
Data Objects (ADO) to find the computeijs and Windows Management Instrumental 
(WMI) methods to reboot them. However, creating formatted output with a WSH script is 

largely a manual process. 

\ \ 
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Reboot, 
down, power 
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■ REBOOTING COMPUTERS 


Table 1: Sample Set-ComputerState.psl Commands 

Command 

1 Result 

set-computerstate -computername 
pci -action Reboot 

Reboots pci 

set-computerstate pc1,pc2 Logoff 
-force 

Forces a logoff on computers pci and pc2 

set-computerstate pc3 Test 

Tests whether Set-ComputerState.psl can 
connect to pc3 


Due to these limitations, I decided to 
write two PowerShell scripts: 

• Get-EnabledComputerCN.ps 1, which 
creates a list of computers 

• Set-ComputerState.ps 1, which reboots 
each computer in the list and reports 
on the success or failure of each reboot; 
this script also lets you log off users and 
power off or shut down computers 

I wrote two scripts instead of one because 
they're independently useful. When you 
just need to get the names of all the com¬ 
puters in a domain or OU, you can run Get- 
EnabledComputerCN.ps 1 by itself. When 
you just need to reboot, power off, or shut 
down a few computers or log off a few users, 
you can use Set-ComputerState.psl by itself. 
When your needs change and you need 
to reboot, power off, or shut down all the 
computers or log off all the users in an OU 
or AD domain, you can easily combine the 
scripts using a single PowerShell command. 
I'll show you how to do this after I describe 
how to run the scripts individually. 

Using Get-EnabledComputerCN.psI 

Get-EnabledComputerCN.ps 1 is easy to 
use. The command to run the script follows 
the syntax 

get-enabledcomputercn 


-basename <String[]> 

[-searchscope <String>] 

(Although this command syntax wraps here, 
you'd enter the command all on one line in 
the PowerShell console. The same holds 
true for the other sample commands that 
follow.) 

You use the -basename parameter to 
specify one or more base distinguished 
names (DNs)—this is where the script will 
start searching for computers. If you specify 
a blank string ("" or "), the script uses the 
current domain's DN for the start of the 
search. 

You use the -searchscope parame¬ 
ter to specify the search scope (Base, 
Onelevel, or Subtree). If you don't specify 
-searchscope, the default search scope 
is Subtree. If you specify Onelevel for the 
-searchscope parameter, the script 
searches for enabled computers in the 
named DNs, but it doesn't search in con¬ 
tainers underneath the named DNs. You'll 
most likely never use a Base search. For 
more information about search scopes, 
see MSDN's “SearchScope Enumeration'' 
web page (msdn.microsoft.com/en-us/ 
library/system.directoryservices.search 
scope, aspx). 

Both the -basename and -searchscope 
parameters are positional, so you can omit 


the parameter names if you specify their 
values as the first and second parameters on 
the command line. For example, the com¬ 
mand 

get-enabledcomputercn "" 

outputs a list of all enabled computers in the 
current domain. The command 

get-enabledcomputercn 

"OU=Sales,DC=wascorp,DC=net", 

"OU=Mktg,DC=wascorp,DC=net" 

outputs a list of enabled computers in the 
Sales and Mlctg OUs (and any OUs under¬ 
neath them) in the wascorp.net domain. 
Enclosing the DNs in double quotes causes 
PowerShell to interpret each DN as a distinct 
string. Without the quotes, PowerShell will 
interpret OU-Sales,DC-wascorp,DC-net as 
an array of three strings instead of a single 
string. 

Using Set-ComputerState.psl 

The Set-ComputerState.psl script uses WMI 
to log off, shut down, reboot, or power 
off one or more computers, then outputs 
objects containing the results of each opera¬ 
tion. The command to run the script uses 
the syntax 

set-computerstate 

-computername <String[]> 

-action <String> 

[-force] [-ping] 

You use the -computername parameter 
to specify a computer name (or a list of com¬ 
puter names). You indicate the action you 
want to perform on that computer by speci¬ 
fying the -action parameter followed by 



Figure 1: Sample output from Set-ComputerState.psl 
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Listing 1:The main Function in Get-EnabledComputerCN.ps 1 


function main { 

if ((JBaseName -eq $NULL) -or $Help) { 
usage 

} 

# Throw an error if the search scope isn't valid. 

if ("Base", "Onelevel", "Subtree" -notcontains SSearchScope) { 
throw "-searchscope must be 'Base', 'Onelevel', or 'Subtree'." 

} 

# Retrieve the domain's DN. 

JdomainDN = ([ADSI] "").distinguishedName[0] 

foreach ($dn in SBaseName) { 
if ($dn -eq "") { 

$dn = JdomainDN 

} 

) $direntry = [ADSI] "LDAP://$dn" 

) Ssearcher = new-object System.DirectoryServices.DirectorySearcher 
Ssearcher.SearchRoot = $direntry 

Ssearcher.FiIter = "(&(objectCategory=Computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" 

Ssearcher.PageSize = 1000 
Ssearcher.SearchScope = SSearchScope 

[Void] Jsearcher.PropertiesToLoad.Add("cn") 

# Set DirectorySearcher's Sort property to a new SortOption 

# object, and configure the property name. 

Ssearcher.Sort = new-object System.DirectoryServices.SortOption 
Ssearcher.Sort.PropertyName = "cn" 

# Output the names for all the computers. 

Ssearcher.FindAll () | foreach-object { 

S_.Properties.cn 

} 


Logoff, Shutdown, Reboot, 

Poweroff, or Test. If you 
include the -force parame¬ 
ter, the script will force the 
specified action. Including 
the -ping parameter tells 
the script to first ping the 
computers. 

Although the Logoff, 

Shutdown, Reboot, and 
Poweroff values for the 
-action parameter are self- 
explanatory, the Test value 
needs a bit of explana¬ 
tion. The Test value tests 
whether Set-Computer- 
State.ps 1 can establish 
a WMI connection with 
each specified computer, 
but it doesn't perform an 
action. So, you specify this 
action when you want to 
simply test whether you 
can connect to the speci¬ 
fied computers. 

You can also use the 
Test value in conjunction 
with the -ping parameter. 

For example, if you want to test whether Set- 
ComputerState.ps 1 can successfully ping 
and connect to a computer named pc4, 
you'd run the command 

set-computerstate pc4 Test -ping 

If you use the -force parameter with the 
Test action, the -force parameter is ignored 
because -force is only meaningful with other 
actions. 

Both the -computername and -action 
parameters are positional, so you can omit 
the parameter names if you specify their val¬ 
ues as the first and second parameters on the 
command line. Table 1, page 42, shows some 
sample Set-ComputerState.psl commands. 

Figure 1, page 42, shows sample output 
from Set-ComputerState.psl. As you can 
see, it outputs objects that contain three 
properties: 

• Computer. The Computer property con¬ 
tains the computer name. 

• Action. The Action property contains 
the action attempted on the computer 
(e.g., reboot, logoff, forced reboot, forced 
logoff). If Test was the specified action, 
the Action property will contain the 


word Connect. If the -ping parameter 
was included and a ping fails, the Action 
property will contain the word Ping. 

• Result. The Result property contains the 
result (either a hexadecimal number or a 
string) of the specified action. When the 
Result property contains 0x00000000, 
the action was successful. When the 
action failed, the Result property will 
contain a non-zero hexadecimal code or 
an error message. 

To interpret an error code, you can use 
the Net Helpmsg command by following the 
syntax 

net helpmsg (0x<Last4Digits>) 

where <Last4Digits> is the last four hex 
digits in the error code. For example, if you 
get the error code 0x800706BA, you'd type 
the command 

net helpmsg (0X06BA) 

after the PowerShell prompt. In this case, the 
result is the error message The RPC server is 
unavailable. 


Combining the Commands 

As I mentioned previously, PowerShell 
makes it easy to run Get-EnabledCom- 
puterCN.psl and Set-ComputerState.psl 
together using a single command. For 
example, suppose you want to reboot all 
the computers in the Mlctg OU in the was- 
corp.net domain. You can use either this 
command 

get-enabledcomputercn 

"0U=Mktg,DC=wascorp,DC=net" | 
foreach-object 

{ set-computerstate $_ reboot } 

or this one 

set-computerstate 

(get-enabledcomputercn 

"0U=Mktg,DC=wascorp,DC=net") reboot 

The first command executes Get- 
EnabledComputerCN.ps 1, then pipes the 
script's output to the ForEach-Object cmd- 
let, which executes Set-ComputerState.psl 
on each computer listed in that output. The 
second (and shorter) command executes 
Set-ComputerState.psl, using Get-Enabled- 
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Table 2: Valid Parameter Values for the 
Win32Shutdown Methd 

Value | Meaning 


0 Logoff 

1 Shutdown 

2 Reboot 

4 Forced logoff 

5 Forced shutdown 

6 Forced reboot 

8 Power off 

12 Forced poweroff 


Listing 2: Set-CornputerState.ps 1 Code That 
Associates the -action Parameter Values with the 
Win32Shutdown Parameter Method Values 


(A) $action_logoff = 0 

$ACTION_SHUTDOWN = 1 
$ACTI0N_REB00T = 2 
$ACTI0N_F0RCE = 4 
$ACTI0N_P0WER0FF = 8 
$ACTION_TEST = 16 

(B) $ACTION_LIST = @{"L" = $ACTI0N_L0G0FF; 

"S" = $ACTION_SHUTDOWN; 

"R" = $ACTI0N_REB00T; 

"P" = $ACTI0N_P0WER0FF; 

"T" = $ACTION_TEST} 


ComputerCN.ps 1 as the -computername 
parameter. Now that you know how to run 
the scripts individually and together, let's 
look at how they work. 

Understanding 

Get-EnabledComputerCN.psI 

Get-EnabledComputerCN.ps 1 is a fairly 
straightforward script that uses the .NET 
DirectoryEntry and DirectorySearcher 
classes to search AD for enabled computers. 
It uses PowerShelTs [ADSI] typeacceleratorto 
create a System.DirectoryServices.Directory- 
Entry object. Get-EnabledComputerCN.psl 
connects (or binds) to the re¬ 
quested object in AD by specifying its name 
after the [ADSI] type accelerator, as shown at 
callout A in Listing 1. If you specify an empty 
string, the DirectoryEntry object binds to the 
current domain. 

Get-EnabledComputerCN.ps 1 then cre¬ 
ates a System.DirectoryServices.Directory 
Searcher object and sets that object's 
SearchRoot and Filter properties, as callout 
B shows. The script sets the SearchRoot 
property to the DirectoryEntry object it cre¬ 
ated in the code at callout A. It uses a search 
filter to find enabled computer accounts, 
whether they be workstations, members 


servers, or domain controllers (DCs). 
If you're unfamiliar with Active Direc¬ 
tory Service Interfaces (ADSI) search 
filters, see MSDN's "Search Filter Syn¬ 
tax" web page (msdn2.microsoft.com/ 
en-us/library/aa746475.aspx). 

Next, Get-EnabledComputerCN 
.psl sets the DirectorySearcher 
object's PageSize property to 1,000. 
This enables AD to return 1,000 objects 
from a search at a time. Otherwise, it 
returns only the first 1,000 matches. 
The script then configures the Search- 
Scope property (which, as discussed 
previously, is Base, Onelevel, or Sub¬ 
tree). 

The final step in setting up the 
DirectorySearcher object is to specify 
which properties you want to retrieve 
for each object. To do this, Get- 
EnabledComputerCN.ps 1 calls the 
Add method of the DirectorySearcher 
object's PropertiesToLoad property, 
as callout C shows. The Directory¬ 
Searcher object's Add method returns 
an index, but since the script doesn't 
use the index, it casts the expression to 
[Void] to prevent the index value from 
appearing in the output. We only want to 
return the cn (common name) property for 
each computer name, so that's the param¬ 
eter it passes to the Add method. 

After setting up the DirectorySearcher 
object, the script creates a System.Direc- 
toryServices.SortOption object and sets its 
PropertyName property so that the results 
are sorted in ascending order. To output 
those results, the script calls the Directory¬ 
Searcher object's FindAll method. This 
method outputs a list of System.Directory- 
Services.SearchResult objects. The script 
pipes this list to the ForEach-Object cmdlet 
in order to output the cn properly for each 
object. 

Understanding 

Set-ComputerState.psI 

Set-ComputerState.ps 1 uses WMI to perform 
the specified actions on computers. Specifi¬ 
cally, it uses the Win32Shutdown method of 
WMI's Win32_OperatingSystem class. This 
method requires a parameter that tells it 
what to do. Table 2 shows the valid param¬ 
eter values for the Win32Shutdown method. 
(Test isn't a valid action for the Win32- 
Shutdown method,but Set-Computer 
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State.ps 1 uses the value 16 to represent the 
Test action.) 

Set-ComputerState.ps 1 assigns the Win- 
32Shutdown method's parameter values to 
a series of variables representing the various 
actions, as callout A in Listing 2, page 45, 
shows. It then uses a hash table to associ¬ 
ate the variables with the first letter of each 
action (callout B). The script checks the first 
character of the specified action against the 
hash table's keys. If there isn't a match (i.e., 
the specified action isn't valid), the script 
throws an error. 

Set-ComputerState.ps 1 also uses the 
hash table to obtain the numeric value for 
the Win32Shutdown method and stores it 
in the $flags variable. If the -force parameter 
was entered on the command line, the script 
uses the -bor operator to obtain the value for 
the forced version of the action (provided 
that the action wasn't Test). 

Next, the script creates a Management- 
ObjectSearcher object using PowerShell's 
[WMISearcher] type accelerator in a query 
that selects all properties from the Win32_ 
OperatingSystem class. It then configures 
the ManagementObjectSearcher object's 
options to enable all WMI privileges and 
set the WMI impersonation level. (This is 
why Set-ComputerState.psl uses the Man¬ 
agementObjectSearcher object instead of 
the Get-WMIObject cmdlet; the Get-WMI- 
Object cmdlet doesn't support enabling all 
privileges.) 

Set-ComputerState.psl uses a foreach 
loop to iterate through the computers speci¬ 
fied with the -computername parameter. For 
each computer, the script creates a custom 
output object and configures its name. If 


If you add these 
two PowerShell 
scripts to your 
toolbox, you'll 
be able to easily 
reboot computers 
whenever needed. 

the -ping parameter is present, the script 
calls the testIPHost function. The testIPHost 
function uses WMI's Win32_PingStatus class 
to check whether the computer responds to 
a ping. If the ping fails (i.e., the testIPHost 
function returns a non-zero value), the 
script updates the output object's Action 
and Result properties, outputs the object, 
and continues to the next computer. 

In the code in Listing 3, Set-Computer¬ 
State.psl uses the PowerShell trap state¬ 
ment to capture exceptions. If an exception 
occurs, the trap script block updates the 
$ok variable in the parent scope to $FALSE, 
then attempts to retrieve the exception's 
ErrorCode property. Not all exceptions have 
an ErrorCode property, so the trap script 
block uses a regular expression to check if 
the exception's message contains a hex error 
code. If the exception message contains a 
hex error code, the script block updates the 
output object's Result property with the hex 
error code; otherwise, it updates the output 
object's Result property with the error mes¬ 
sage. The trap script block then uses the con¬ 


tinue statement to go to the code that’s after 
the statement that caused the exception. 

Finally, Set-ComputerState.psl points 
ManagementObjectSearcher to the root\ 
cimv2 WMI namespace on the requested 
computer, then calls ManagementObject- 
Searcher's Get method to execute the query 
as a part of a foreach loop. If the $ok variable 
contains $TRUE, an exception didn't occur 
and the script checks whether Test was the 
requested action. If so, it updates the output 
object with a zero code (indicating suc¬ 
cess); otherwise, it calls the Win32Shutdown 
method and updates the output object's 
properties with the action and the result. 
The script uses the decodeFlags function to 
return a string representation of the $flags 
variable. After this, the script outputs the 
custom object and continues to the next 
computer. 

Because Set-ComputerState.psl outputs 
objects, not just text, you can use Power- 
Shell's formatting cmdlets to customize the 
script's output. For example, if you want to 
omit the Action property from the output, 
you can use the Format-Table cmdlet to 
select only the Computer and Result proper¬ 
ties. 

Exploiting PowerShell's 
Capabilities 

The Get-EnabledComputerCN.ps 1 and Set- 
ComputerState.psl scripts demonstrate how 
PowerShell makes it relatively easy to com¬ 
bine separate scripts to accomplish a single 
goal. If you add them to your toolbox, you'll 
be able to easily reboot computers whenever 
needed. You can download these scripts by 
going to the Windows IT Pro website (www 
.windowsitpro.com), entering 102361 in the 
InstantDoc ID box, clicking Go, then click¬ 
ing the Download the Code Here button. You 
can execute these PowerShell scripts on any 
machine that has PowerShell installed, but 
the computers on which you're performing 
the actions don't have to have PowerShell 
installed. You don't need to customize the 
scripts before you use them. ^ 
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Listing 3: The Trap Script Block in Set-CornputerState.ps 1 


trap [System.Management.Automation.MethodlnvocationException] { 
set-variable ok $FALSE -scope 1 
# Try to get the error code. 

Jresult = $_.Exception.GetBaseExceptionO .ErrorCode 
if C($result) -and ($result.GetTypeO -eq [Int])) { 

$output.Result = "0x{0:X8}" -f Jresult 

} 

else { 

# Get the exception message. 

Sresult = $_.Exception.GetBaseExceptionO .Message 

# Try extracting the error code from the exception message. 

([Regex] ".*(0x[0-9A-F]{8}).*").Matches($result) | foreach-object { 

Soutput.Result = $_.Groups[l].Value 

} 

# If the regex didn't match, just use the entire message, 
if ($output.Result -eq "") { 

Soutput.Result = Sresult 

} 

} 

continue 
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PROBLEM: 


Load-Balance 
AD LDS with 
Microsoft NLB 
in 6 Steps 

Add strength and 
resiliency to your LDS 
implementation 

by Ken St. Cyr 


A ctive Directory Lightweight 
Directory Services (AD LDS) 
has made it easy for organi¬ 
zations to implement appli¬ 
cation-specific directories 
without incurring additional 
risk to their corporate AD forest. As AD LDS 
has grown in popularity, the demand to 
scale its implementations and ensure higher 
levels of availability has also grown. LDS is 
based on the same code as AD, so it has the 
same replication engine and performance 
characteristics, but the same high-availabil¬ 
ity rules don't apply to LDS. 

In AD, load balancing automatically occurs in the back end, thanks to the separate pro¬ 
cesses for discovering and connecting to domain controllers (DCs). But LDS is simply an 
LDAP directory and therefore has no inherent ability to load-balance itself, despite its rich 
replication capabilities. So, instead of letting your LDS implementation be a failure waiting 
to happen, you can use Microsoft's Network Load Balancing (NLB) service to give your direc¬ 
tory service some much needed load balancing. In this article, I lay out six steps that you can 
take to start load-balancing your LDS servers in no time. But first, you need to be aware of 
the basics of NLB. 
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After spending many months 
and thousands of dollars on 
developing an application, 
your AD LDS servers are 
pegged out and even dropping 
connections. After you added 
server replicas, you found that 
the application is still using the 
original server 95 percent of the 
time. And during last week's 
outage, the application still 
wasn't able to connect to the 
directory service, even though 
the replicas were still online. 

SOLUTION: 

By adding NLB, your AD LDS 
instance will balance the load 
across your server replicas 
and give you fault tolerance 
when servers fail. By following 
these steps, you'll learn how 
to plan for and implement 
NLB on top of your AD LDS 
implementation. 

SOLUTION STEPS: 

1. Determine the NLB 
configuration of your cluster 
and network settings. 

2. Install LDS and any replica 
servers that your instance will 
use. 

3. Install NLB on all the LDS 
servers in your LDS instance. 

4. Build the NLB cluster and 
configure its settings. 

5. Install the SSL certificate. The 
certificate needs to include the 
clustered name of the instance. 
Install the certificate to the 
personal certificate store of the 
LDS service account and give the 
account the right permissions. 

6. Go back and add the LDS 
servers in your replicated 
instance to the NLB cluster. 

DIFFICULTY: 

•••co 
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Figure 1: NLB principles 


Network Load Balancing 101 

Windows Server's built-in NLB offers a basic 
clustering service for TCP/IP-based network 
services—without the burden of shared 
resources. NLB doesn't ensure data consis¬ 
tency across hosts in the cluster. If there's 
dynamic data, that data must be kept in sync 
by other means. Therefore, NLB is typically 
used by static content providers, such as a 
web server farm that connects to a back-end 
database. You can use NLB with dynamic- 
content providers, but NLB leaves it up to 
the server to ensure that the data is in sync 
across hosts. This type of setup lends itself 
well to LDS because LDS accomplishes this 
data synchronization with its native replica¬ 
tion capabilities. 

With NLB, you define a "virtual" name 
and IP address. The address is shared by 
each host in the NLB cluster. Load balancing 
is based on ports. So, you can have multiple 
services load-balanced with different options 
on the same hosts. You can also set the weight 
and priority on hosts in the cluster to ensure 
that better-performing hardware is used 
more frequently. When a client connects to 
a set of LDS servers that is clustered with 

www.windowsitpro.com 


NLB, it uses the virtual name or IP address. 
The NLB service, which runs on every node 
of the cluster, will determine which server 
in the farm responds. Figure 1 illustrates the 
NLB principles at a high level. 

Step 1: Plan Your NLB 
Configuration 

Before you start installing NLB, you need to 
make a few decisions about how NLB will 
run in your LDS server farm. Making these 
decisions early will help ensure that you 
run into fewer problems when you begin 
deploying NLB. If you already have LDS 
running and you just want to add additional 
load-balanced servers, the planning will 
reduce the risk of taking the LDS service 
offline while you're installing NLB. 

First, you'll want to determine the con¬ 
figuration of the cluster network. You'll need 
to obtain an IP address for the cluster; each 
cluster host will be listening on this address. 
Also, you'll need to decide on a cluster host 
name that the clients will use to access the 
directory service. Although it might sound 
trivial, deciding on a host name is an essen¬ 
tial step, particularly if you plan to use SSL. 
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When you obtain a server certificate for your 
LDS hosts, the certificate will need to con¬ 
tain the shared cluster host name instead of 
the individual server host name. If you don't 
do this, you'll have a name mismatch in your 
certificate, so you'll need to decide on the 
cluster host name before you can request 
your server authentication certificate. 

Second, you'll need to decide on the 
cluster operation mode. You have two 
choices: unicast or multicast. When you 
use NLB, each host in the cluster will accept 
traffic that's destined for the cluster's IP 
address and the host name that you decided 
on earlier. It does this because NLB assigns 
a unique MAC address for the cluster. Each 
host in the cluster listens for traffic destined 
to this MAC address. Using a filtering algo¬ 
rithm built into NLB, the host will either 
process the packet or drop it. Because every 
host in the cluster is using the same filter¬ 
ing algorithm, the packet is processed by 
only one host. When you choose a cluster 
operation mode, you're deciding on how 
each host listens for packets destined to 
the cluster MAC address. If you use unicast 
mode, the system replaces the MAC address 
of the network card on the host with the 
cluster's MAC address. Therefore, each LDS 
host in the cluster will have the same MAC 
address. The host will still service clients, but 
the LDS hosts won't be able to communicate 
with one another unless you have a second 
network card. Without this second network 
card, LDS replication won't work. However, 
when you use multicast mode, the network 
card retains its original MAC address and 
an additional multicast MAC address is 
added. In this configuration, hosts in the 
cluster can communicate with one another 
without the need for an additional network 
card. In most cases, the safest choice is to use 
multicast mode, but you need to ensure that 
the switch can map a unicast IP address to a 
multicast MAC address. 

Third, you need to determine how many 
network cards you'll use in each host. You 
have a couple considerations coinciding 
with this decision: If you've chosen to oper¬ 
ate in unicast mode, you'll need an addi¬ 
tional network card to ensure that the LDS 
hosts can communicate with each other; 
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Figure 2: The Network Load Balancing Manager tool 


also, an additional network card can add 
performance enhancements. One card 
would be dedicated to the cluster host, 
and the other card would be used for other 
networking traffic, such as backups and 
replication. 

Fourth, youTl need to think about cli¬ 
ent affinity. Before your clients can query 
your LDS directory, they must first bind to 
it to establish a connection and present 
credentials. With multiple load-balanced 
LDS servers, there's a chance that when 
your client uses that cluster host name, 
they could bind to one server and then a 
subsequent LDS query could connect to 
an entirely different server in the cluster. 
The problem is that the client would be 
authenticated to only the server that it 
bound with and not the server that it que¬ 
ried. When client affinity is enabled, you 
have assurance that the client will use the 
same host in the cluster all the time. There 
are three affinity options available: None , 
Single, and Network. 

Choosing None doesn't necessarily 
mean that every network operation will go 
to a different server in the cluster. The way 
affinity is calculated when None is selected 
is based on the IP address of the client 
and the source port that the client uses. 
So, when you use a tool such as LDP (ldp 
.exe) to test affinity, the source port that it 
uses doesn't change until you disconnect 
from the directory and reconnect. The 


same LDS host is used within the LDAP 
session, but this isn't the case with every 
LDAP client. When you use Single affinity, 
the algorithm will use only the IP address 
of the client to determine which LDS host 
to connect to. This ensures that the same 
client will always use the same server as 
long as it has the same IP address. When 
you use Network affinity, the system uses 
neither the client IP address nor the source 
port. Instead, every client coming from 
the same subnet will use the same LDS 
host. You can use this method to establish 
a form of geographic load balancing in 
your cluster. 

Step 2: Get LDS Up and 
Running 

The next step in deploying your LDS farm 
is to get LDS working without NLB. Install 
and configure your network cards and 
get LDS installed and running properly, 
but don't install the server certificates 
yet. YouTl want to stand up at least one 
replicated instance. (For a good setup and 
configuration guide, see the Microsoft 
article "AD LDS Getting Started Step-by- 
Step Guide" at technet.microsoft.com/ 
en-us/library/cc770639.aspx.) Use a tool 
such as LDP or ADSIEdit (adsiedit.msc) 
from a client to make sure you can connect 
to each of the LDS servers independently 
and that the replicated data is the same on 
both servers. 


Step 3: Install NLB on All Nodes 

You're now ready to install NLB on each of 
the LDS servers that hold a replica of the 
directory instance. There are two ways to 
install the NLB service in Windows Server 
2008: through the GUI or from a com¬ 
mand prompt. To install NLB using the 
GUI, you'll use the Server Manager tool. 
You can select the Features item in the 
console tree, then select Add Features in 
the main panel. In the Add Features Wiz¬ 
ard, select the Network Load Balancing 
check box and click Install. Remember, 
you'll need to install NLB on every LDS 
server that will participate in the cluster. 

You can also use the command prompt 
to install NLB on your LDS hosts. To do so, 
you can use the command 

servermanagercmd -install nib 

Step 4: Create the NLB Cluster 

Now that NLB is installed on your hosts, 
you can use one of the hosts to create the 
cluster. Launch the Network Load Balancing 
Manager tool (which Figure 2 shows) from 
the Administrative Tools menu, or run the 
Nlbmgr command. 

The NLB Manager consists of three parts. 
In the left panel, you'll see a list of all the 
NLB clusters that you're connected to. The 
right panel contains the details of the cluster 
or host that you've selected. And at the bot- 
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Figure 3: The TCP client access ports for LDAP 


tom of the dialog box, a log shows you the 
recent operations the tool has performed. 

Start the New Cluster wizard by select¬ 
ing New from the Cluster menu. The next 
few dialog boxes will take you through the 
process of creating the NLB cluster. Youll 
start off by connecting to the first LDS 
server that you're adding to the cluster. 

The Host Parameters dialog box defines 
some settings that are specific to the host 
you're installing. The Priority field lets you 
give each host a unique ID; the host with 
the lowest priority number is the one that 
handles all the packets that don't have a port 
rule defined. (I'll discuss port rules shortly.) 
If you have multiple network cards, you'll 
want to ensure that the IP address specified 
in this dialog box isn't the IP address that the 
cluster is using. If you have a single network 
card, you'll see the IP addresses of that card 
here marked as dedicated IP addresses. 

In the Cluster IP Addresses and Cluster 
Parameters dialog boxes, you'll add the IP 
address and host name that you decided 
on in Step 1. This is also where you'll 
choose the cluster operation mode. When 
you select multicast, you'll notice that the 
MAC address changes from a unicast MAC 
address to a multicast MAC. 

Finally, you'll need to define the port 
rules for the clustered directory service. 
Port rules tell the NLB cluster which ports 
to listen on. By default, the wizard defines 
all ports as clustered, but you can hone this 


down to only the TCP client access ports for 
LDAP (as you see in Figure 3). You would 
need to create separate TCP port rules for 
each LDAP port. By default, LDS uses port 
389 for unencrypted LDAP and port 636 for 
SSL-secured LDAP, unless there's already 
a directory service using those ports. In 
that case, you would have defined differ¬ 
ent ports to use when you installed the 
directory instance. Because the port rules 
affect only communications over the clus¬ 
ter MAC, leaving all ports clustered doesn't 
adversely affect LDS replication or server- 
to-server communications. But keep in 
mind that any ports that aren't covered in 
a port rule are handled by the host with the 
lowest priority number. 

Step 5; Install the SSL Certificate 

Getting SSL running in a replicated LDS 
instance is a little tricky when you're 
using NLB. There are three factors to keep 
in mind when installing the certificates. 
First, as I stated earlier, you must use the 
host name of the cluster in the server 
authentication certificate—not the host 
name of the server. If you plan to use the 
host name to connect to individual hosts, 
you can use a Subject Alternative Name 
(SAN) for the host or use a wildcard cer¬ 
tificate. Second, the certificate must be 
installed in the personal certificate store 
of the account that the LDS service is 
running under. It's important to ensure 


that the personal certificate store for that 
account on each LDS server contains only 
the server authentication certificate and 
nothing else. To add the certificate to the 
correct certificate store, you can use the 
following approach: 

1. Run the Microsoft Management 
Console (MMC) Certificates snap-in. When 
you load the snap-in, select the option to 
manage certificates for a Service Account. 

2. When the list of services appears, 
select the service that corresponds to the 
LDS instance that you're load-balancing. 

3. Right-click the Personal store of the 
service account, and choose All Tasks, 
Import. 

Finally, you need to give the LDS service 
account read permissions to the certificate 
in the store. For example, if you were using 
the Network Service account for LDS in 
Server 2008, you would give the Network Ser¬ 
vice Account read permissions to the folder 
\%PROGRAMDATA%\Microsoft\Crypto\ 
RSA\MachineKeys. 

Step 6: Add Hosts to the Cluster 

After you install the NLB cluster with one 
host, you should be able to freely access 
the directory service using the cluster host 
name and IP address. The only thing left is 
to add the remainder of the LDS servers into 
the NLB cluster. If you're using SSL, don't 
forget to import the certificate into the cor¬ 
rect store and set the folder permissions on 
each host that you add to the cluster. 

Strength and Resiliency 

You should now have a running NLB cluster. 
You can use the LDAP client tools to test 
connectivity to your directory service, but 
be sure to use the cluster host name and IP 
address. By adding NLB clustering to your 
replicated LDS instance, you have strength¬ 
ened your LDS implementation and have 
added an additional layer of resiliency to an 
already great directory service. ^ 
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The P 8 

CHALLENGES 

to Exchange High 
Availability and 
Disaster Recovery 

Exchange Server 2007 is a powerful messaging platform that fills a critical communications role in 
many organizations. Subsequently, making an Exchange Server environment both highly available 
and disaster tolerant is a must. But providing redundancy for all the components of an Exchange in¬ 
frastructure poses significant challenges, because Microsoft provides for different availability tools and 
concepts out of the box. Conceptually, you can divide these challenges into eight logical concepts, 
each addressed in different ways. Understanding these challenges can help you define which areas of 
Exchange need particular attention when planning to make an environment highly available. 

1. Providing Redundancy for Inbound and Outbound Mail 

By themselves, Exchange Edge Transport servers, which are responsible for inbound and outbound 
mail delivery, are not highly available for inbound mail. You can either set up multiple DNS MX Records 
to provide multiple paths for mail delivery, or you can enable hardware- or software-based network 
load balancing to multiple Edge Transport servers. A third option is DNS Round Robin, which should 
be avoided if possible, because it is a "passive" load balancing solution that can lead to referrals made 
to servers that are not responding. 

2. Protecting Intra-Org Communications 

Exchange automatically load balances internal messaging communications between Elub Transport 
Server roles, with certain caveats. Mail flow internally is only redundant if there are multiple Elub 
Transport servers within the same Active Directory (AD) Site that contains mailbox servers. If all Elub 
Transport servers in a site are down, mail flow to that site is disrupted. 

3. Creating Redundant Copies of Mailbox Data 

Exchange Server 2007 introduced the concept of Continuous Replication, which is essentially log ship¬ 
ping for Exchange. Continuous Replication allows for multiple copies of a mailbox database to exist 
in an organization. Exchange Server 2007 running on Windows Server 2008 supports geographically 
dispersed Clustered Continuous Replication (CCR), which provides for an automated solution to fail 
over clients to a remote copy of their mailboxes. There are some significant challenges to enabling 
geographically dispersed CCR; for example, both nodes must reside in the same AD Site, which often 
necessitates the creation of dedicated AD domain controllers for the cluster. In addition, the cluster 
name must be created with a very low DNS Time to Live (TTL) value to avoid client's caching the IP 
of a failed node. Microsoft also provides for Single Copy Clusters (SCCs), which are traditional shared 
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storage clusters, and for Standby Continuous Replication (SCR), which creates a replicated copy of a 
mailbox database in a remote location that must be manually failed over to in the event of a failure. 
Both SCC and SCR can be significantly complex to configure and reguire two sets of tools to set up 
and administer. 
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4. Protecting Public Folder Data 

Microsoft provides two distinct public folder redundancy options, neither of which can be used si¬ 
multaneously. The first method is via traditional, pre-Exchange 2007 Public Folder replication, which 
can be slow and difficult to troubleshoot. The second method is via Continuous Replication, which, if 
utilized, does not allow for traditional replication to occur, limiting the public folder to a single logical 
instance. This public folder instance can physically reside in more than one location, but within the 
confines of the Continuous Replication infrastructure. 

5. Providing Highly Available Client Access Mechanisms 

Exchange Server's Client Access Server (CAS) role provides for critical access mechanisms such as Out¬ 
look Web Access, Outlook Anywhere (RPC over HTTP), and features such as the Availability service and 
Autodiscovery. By default, there is no built in availability. Simply deploying multiple CAS servers will 
not automatically load balance client traffic. Windows Network Load Balancing provides CAS role HA, 
but is functionally limited to eight nodes and does not provide availability across sites. Hardware- 
based network load balancing gives better performance and can potentially work across sites, but it 
can be expensive. 

6. Providing Resiliency for the Directory Platform 

An often neglected component of Exchange messaging design is the directory used for Exchange: 
Windows Server's AD. Deploying multiple, high-performance 64-bit domain controllers that are 
full Global Catalog servers in each site where Exchange resides is critical to making Exchange highly 
available and for optimal client performance. It is also important to note that Exchange cannot use 
Windows Server 2007 Read only Domain Controllers (RODCs) or Read only Global Catalog servers 
(ROGCs.) 
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7. Controlling the Entire Messaging Lifecycle 

For compliance reasons, many organizations need a more robust and reliable method to keep track 
of messages and to be able to produce a record of all communications at any point in their lifecycle. 
Out of the box, Microsoft provides for the ability to create a journal mailbox, which keeps a copy of all 
messages sent and received. This journal mailbox can grow very large very quickly, and often requires 
a dedicated server and significant storage to maintain. 

8. Providing Options for Message Recovery 

One of the major data redundancy issues is simply preventing users from deleting the wrong message 
from their inboxes. Out of the box, Exchange includes recycle bin functionality and a message"dump- 
ster," where deleted items can be recovered for a period of time. Once the dumpster interval has 
expired, however, the only way to restore the message is through a data restore. Out of the box, Mi¬ 
crosoft includes very a limited backup tool, and most organizations subsequently perform Exchange 
backups using an approved backup solution that is Exchange aware. 
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S harePoint server architecture in both Microsoft Office SharePoint (MOSS) and 
Windows SharePoint Services (WSS) lets you create a robust, fault-tolerant, and 
highly available SharePoint farm designed to survive the loss of any one compo¬ 
nent. But it's not readily obvious how to do this out of the box, and some of the 
guidance doesn't cover all availability concepts. To further complicate things, 
many people are confused about the difference between disaster recovery and 
high availability. High availability generally refers to the concept of keeping an application 
or service running and available for use in the event of a failure of part of the infrastructure, 
while disaster recovery refers to a process of recovering an environment that has already 
failed. As this article specifically focuses on high availability, let's dive into SharePoint high 
availability concepts first, then look at some prescriptive guidance for making components 
in a SharePoint farm fully redundant and highly available. 

Understanding SharePoint Server Role Availability 

The base architectural component in a SharePoint environment is the SharePoint farm, 
composed of multiple servers that work together to store content and display it for end 
users. Each server in the farm can hold one or more server roles that determine what job 
the server plays in the farm topology. For example, the web role utilizes Internet Information 
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Services (IIS) to display content for users, 
while the index role is responsible for index¬ 
ing content so that it can be made available 
for search. To gain a full understanding of 
SharePoint high availability, let's examine 
each role and how it works. 

Database Role Availability 

The database server role, which uses Micro¬ 
soft SQL Server 2008 and 2005 to house 
crucial SharePoint databases, can be made 
highly available by traditional Microsoft 
Cluster Service (MSCS) failover clustering. If 
a cluster node were to fail, the second node 
in the cluster would take over the database 
role seamlessly. Clustering is a complex 
topic, but to simplify, all nodes in a particular 
cluster have direct access to a shared storage 
location (such as a SAN disk volume) where 
the databases are stored and can constantly 
communicate with each other to take over 
in the event of an outage. SQL Server 2008 
running on Windows Server 2008 is highly 
recommended as it has the most functional, 
easy-to-configure clustering options. 

A strong SQL Server recommendation 
for a SharePoint environment is to use a 
combination of a DNS CNAME record or a 
SQL Server alias for SharePoint servers to 
connect to, rather than the actual name of 
the SQL Server server or the cluster. This 
gives you the flexibility to move SharePoint 
databases to another SQL Server instance in 
the event of an outage or for general house¬ 
keeping. By using an alias name to connect 
to (i.e., spsql.companyabc.com), admins 
can save themselves the headache of hav¬ 
ing to go through Microsoft's documented 
procedure for moving to a new SQL Server 
instance, which involves a command-line 
operation (stsadm -renameserver) and a 
full reindex. 

Web Role Availability 

To achieve high availability of the Share- 
Point web role, load-balance the traffic sent 
to multiple web role servers by using a hard¬ 
ware load balancer or Windows Network 
Load Balancing (NLB). Load-balanced web 
role servers share virtual IP addresses (VIPs) 
so that, in the event of a failure, the traffic 
sent to the VIP is sent to an available host. 

A few caveats exist with NLB for use with 
SharePoint, however. First and foremost, 
be sure to enable site affinity, also known 
as "stickiness," which forces users to use a 
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single server for their session, unless that 
server is down. This reduces issues caused 
when a client's session is sent from one 
server to the next. 

If using software NLB, be aware of two 
caveats associated with the type of NLB con¬ 
figured. With multi-cast NLB, routers must 
be specially configured or the packets will 
be dropped. Uni-cast NLB doesn't require 
this special configuration but does require a 
dedicated NIC for the intra-array traffic. The 
servers communicate heartbeat informa¬ 
tion to each other across the dedicated NIC, 
which can reside on the same network as the 
standard NIC. 

Query Role Availability 

The query role provides search results that 
are pulled from the full-text index used by 
SharePoint Enterprise Search. Multiple 
query role servers can be utilized in a 
farm, and referrals to them for searches are 
made directly from the web role servers. 
What this means is that query role servers 
don't need a technology such as NLB to be 
made redundant; instead, simply having 
more than one query role server allows 
for search functionality to be made highly 
available. 

One caveat associated with the query 
role is that it can't be made highly available 
if it resides on the same SharePoint server as 
the index role component. In other words, if 
you place the two roles on the same server, 
then SharePoint will no longer propagate a 
copy of the index to any other location, even 
if you try to make another system a query 
server. The only way to effectively make 
Search highly available is by subsequently 
deploying a dedicated index server, then 
adding the query role to at least two other 
servers so that the index will be propagated 
and will be made available in the event of an 
outage. 

Index Role Availability 

The index role is the only SharePoint role 
that can't be made highly available, but 
since the loss of index functionality isn't 
immediately noticeable, this might not be 
an issue. If the index server is down, Search 
will still work as long as there are available 
query servers in the farm. The only notice¬ 
able effect would be that new items added 
to SharePoint or other content sources 
wouldn't show up in search results until the 
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index server was rebuilt or recovered and 
indexing continued. 

SharePoint Central Admin Role 
Availability 

One commonly overlooked role from an 
availability perspective is the SharePoint 
Central Admin role, which can be easily 
made highly available but often is not. 
Central Admin, which is used to adminis¬ 
ter SharePoint, is simply a SharePoint web 
application that's connected to a dedi¬ 
cated site collection in a dedicated Share- 
Point content database. You can make it 
highly available in the same way that you 
would make any other web application 
redundant in a SharePoint environment. 
Unfortunately, Microsoft doesn't make this 
obvious, but the high-level steps involved 
in making the tool redundant include the 
following: 

1. Turn on the SharePoint Central 
Admin role for a second server in the farm, 
typically a second load-balanced web role 
server. 

2. Change the registry setting on Share- 
Point servers that defines which address 
to use for Central Admin: in this example, 
a load-balanced Fully Qualified Domain 
Name (FQDN) of http://spca.companyabc 
.com:8888. This will also change the 
default address that the local SharePoint 
server uses when clicking on the link to 
start Central Admin. The registry setting 
for this example is as follows: “HKLM\ 
SOFTWARE\Microsoft\SharedTools\Web 
Server Extensions\12.0\WSS\Central 
AdministrationURL" (REG_SZ) = http:// 
spca.companyabc.com:8888 

3. Change your default Alternate 
Access Mapping (AAM) for the SharePoint 
Central Admin web application to http:// 
spca.companyabc.com:8888. 

4. Add a DNS "A" record that points 
spca.companyabc.com to a load-balanced 
IP that corresponds to both SharePoint 
servers (either hardware- or software- 
based NLB will work). 

Note that in addition to load-balancing 
Central Admin, you can also enable SSL 
encryption and Kerberos authentication, 
and assign a standard port (443) for the 
HTTPS traffic. Microsoft not only supports 
these configuration changes but also recom¬ 
mends them for security and availability. 
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Database Mirroring High 
Availability Options 

In addition to traditional clustering, the 
database role can also take advantage of 
SQL Server database mirroring and log ship¬ 
ping to make mirrored copies of SharePoint 
databases on another SQL Server instance. 
While often used for disaster recovery of 
SharePoint content, one form of database 
mirroring known as synchronous mirroring 
can be used for high availability of the data¬ 
bases in a SharePoint farm. In this scenario, 
SharePoint databases are synchronously 
mirrored from a principal SQL Server server 
to a mirror server, while a third server, the 
witness server, stands by, waiting to fail over 
the databases to the mirror server in the 
event of an outage. 

SQL Server database mirroring can be 
set up in three ways depending on specific 
needs, available bandwidth between serv¬ 
ers, and the SQL Server version used. Data¬ 
base mirroring is supported in SQL Server 
2005 SP1 and greater, including SQL Server 
2008. High protection database mirroring is 
available with both the Standard and Enter¬ 
prise editions of SQL Server, whereas the 
high performance option is only available 
with the Enterprise edition: 

• High protection —With high protection, 
all SharePoint databases can be syn¬ 
chronously mirrored to a second SQL 
Server instance and made available in 
the event of an outage of the principal 
server. Failover isn't automatic with this 
model, so it's not a true high availability 
solution. 

• High availability— The only database¬ 
mirroring option that provides high 
availability for SharePoint, this option 
performs synchronous mirroring and 
also allows for automatic failover of the 
databases to the mirror server with the 
addition of a witness server. This option 
provides high availability of SharePoint 
content when used in conjunction with 
a SQL Server alias configured on the 
SharePoint servers and is available with 
SQL Server 2005 Standard and Enter¬ 
prise editions. 

• High performance —The high perfor¬ 
mance option is available only with 
SQL Server Enterprise edition and uses 
asynchronous mirroring, which doesn't 
wait for the data to be written into the 
mirrored server before it's committed. 


While this can result in data loss, it's the 
only scenario that's feasible if the mir¬ 
rored SQL Server instance is located 
across a WAN link with high latency or 
low bandwidth. The only databases that 
asynchronous mirroring supports are 
the SharePoint content databases, which 
limits this option to a disaster-recovery- 
only solution. 

Failover for the high availability mir¬ 
roring option involves the witness server, 
which senses the failure of the principal 
server and enables the mirrored versions 
of the databases. Since SharePoint isn't 
mirroring-aware, the witness server must 
subsequently act to modify the SQL Server 
client alias on the SharePoint servers to point 
them to the new SQL Server location. The 
high availability option can be used for local 
failover scenarios where both principal and 
mirror session are in the same datacenter. 
It can also be used in remote failover data¬ 
center scenarios, such as what's illustrated 
in Figure 1, but only in the case of very low 
latency (less than 1 millisecond) and very 
high bandwidth (1Gb or greater). You can 
find these scenarios detailed in the Microsoft 
whitepaper at tinyurl.com/mirrorsp. 

Highly Available Farm Architecture 

The smallest SharePoint farm that's fully 
highly available (i.e., the loss of any one 
server doesn't noticeably affect clients) is a 


five-server farm composed of the following 
server roles: 

• Server 1—Web/Query/Inbound Email/ 
Central Admin #1 

• Server 2—Web/Query/Inbound Email/ 
Central Admin #2 

• Server 3—Index 

• Server 4—SQL Server Database Cluster 
Node #1 

• Server 5—SQL Server Database Cluster 
Node #2 

Because they're load-balanced, the web/ 
query servers continue to operate for web 
requests, inbound email to document 
libraries, and search queries. The SQL 
Server environment clustering handles 
failover of the database role. The index 
role, as mentioned earlier, can't be made 
highly available, but since a failure isn't 
visible to the end user it's not required to 
be made available. 

Server Virtualization Options 

Server virtualization technologies can help 
organizations that can't deploy five physical 
servers or want to take advantage of virtu¬ 
alization improvements and cost savings. 
Microsoft fully supports MOSS running on 
server virtualization software that's been 
validated as part of the Server Virtualiza¬ 
tion Validation Program (SWP); you can 
see more details at the Microsoft support 
site: support.microsoft.com/kb/897615. 
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Figure 2:Two-virtual-host environment 


http://sp.companyabc.com http://sp.companyabc.com http://sp.companyabc.com 



Content kept in Synch Between Farms 


.com/article/articleid/95846/coor 

dinate-a-virtualized-environment- 

for-sharepoint.html. 

Third-Party Replication High 
Availability Options 

Some organizations have enhanced 
their SharePoint high availability 
options by deploying third-party 
replication solutions that replicate 
SharePoint documents, lists, and 
libraries to multiple locations, as 
Figure 3 shows. By replicating con¬ 
tent to these locations and utilizing 
global load balancers such as Citrix 
NetScalers, Cisco Content Switches, 
F5, and others, requests to a single 
SharePoint FQDN can be directed 
to a local copy of the content. When 
changes are made to the content, 
the third-party software replicates 
them to all other farms. If a single 
farm fails, requests can be automati¬ 
cally referred to another farm within 
the organization, allowing for instant 
failover across sites. Multiple third- 
party vendors providing replication 
software include AvePoint, CASAHL, 
echoTechnology, Infonic, Syntergy, 
and others. 

Making SharePoint 
Bulletproof 


Figure 3: Replicating SharePoint documents, lists, and libraries to multiple locations 


This includes virtual solutions such as Win¬ 
dows Server 2008 Hyper-V, VMware Server, 
Citrix XenServer, and many others. That 
said, certain SharePoint roles such as the 
database role aren't the best candidates for 
virtualization, though with proper attention 
to disk infrastructure and CPU allocation, all 
components can be virtualized. 

Virtualization provides flexibility in a 
SharePoint environment, allowing for full 
high availability to be built for organizations 
that normally wouldn't be able to afford 
it. For example, Figure 2 illustrates a two- 
virtual-host environment that lets an orga¬ 
nization make web/query servers highly 
available and take advantage of the high 
availability mirroring option to provide full 
failover between virtual hosts. This archi¬ 
tecture has the added advantage of letting 


an organization deploy multiple SharePoint 
farms, including farms for testing and devel¬ 
opment. 

Virtualization software such as VMware 
VMotion, Citrix XenMotion, or the soon-to- 
be released Windows Server 2008 Hyper-V 
Live Migration let you add an additional 
high availability layer to a SharePoint envi¬ 
ronment. They work in similar ways, auto¬ 
matically moving a virtual guest from a 
failed virtual host to another host, providing 
for high availability of the server session 
itself. Many organizations are adding this 
additional layer to SharePoint high avail¬ 
ability solutions. For more information on 
virtualizing a SharePoint environment, see 
Microsoft's white paper at tinyurl.com/ 
virtualsp and "Coordinate a Virtualized Envi¬ 
ronment for SharePoint," at windowsitpro 


It's not immediately obvious how to 
make SharePoint architecture highly 
available, but armed with the proper 
knowledge of SharePoint role avail¬ 
ability and the best practices outlined in this 
article, SharePoint admins can design a bul¬ 
letproof SharePoint environment without 
breaking the bank. Out-of-the-box features 
such as NLB, clustering, and high avail¬ 
ability mirroring can be combined with 
other high availability solutions such as 
virtualization or third-party replication to 
meet the Service Level Agreements of any 
organization. 
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NEW & IMPROVED 


■ Windows Mobile 

■ Security 

Microsoft Launches Free 
Anti-Malware Beta 

Microsoft released the public beta ver¬ 
sion of its Microsoft Security Essentials 

(MSE)—formerly code-named Morro—in 
the United States, Israel, and Brazil. The 
anti-malware add-on works with Windows 
7, Windows Vista, and Windows XP, and will 
be free when the final version is released 
worldwide by the end of 2009. MSE is 
based on the same anti-malware technol¬ 
ogy that the company builds into its other 
products, such as Forefront and Hotmail. 
And though it will effectively replace the 
discontinued Windows Live OneCare in 
the marketplace, it has been upgraded 
internally since that product to support a 
dynamic signature service that provides 
for near real-time signature updates so 
that users' PCs are always up to date. MSE 
is much smaller, lighter, and quicker than 
OneCare, plus it doesn't burden the user 
with constant, unnecessary notifications. 

To learn more or download the beta, visit 
www.microsoft.com/security_essentials. 

LG Electronics and NComputing 
Announce Network-Enabled LCD 
Monitors 

LG Electronics and NComputing have 
announced a new category of network- 
enabled LCD monitors that can serve as 
terminals for nComputing's thin-client 
solution. This new class of monitors, 
dubbed the LG SmartVine N-series, will 
be available in 19- and 17-inch sizes in 
North America, with a 15-inch model avail¬ 
able outside the United States. SmartVine 
N-series monitors include embedded 
firmware that ships with nComputing's 
desktop virtualization technology. Each 
monitor includes standard USB keyboard 
and mouse connectors, as well as an Ether¬ 
net cable for connection to a host PC. (An 
expansion kit allows up to five additional 
monitors to connect to the host PC, and 
one PC can use up to two kits.) The moni¬ 
tors are compatible with host computers 
running Linux or Windows OSes. Exact pric¬ 
ing wasn't announced at press time, but 
the news release indicates that both the 


■ Exchange 

■ Virtualization 


15"and 17" monitors would be in the"sub- 
$200" range. To learn more, visit www 
.ncomputing.com/LGNetworkMonitors.aspx. 

Test Hosted Exchange 2010 for 
Free 

Are you looking to sample the 
charms of Microsoft Exchange Server 
2010, but you're not sure you're ready 
to install the beta even on your test 
systems? Here's another option for 
you: Intermedia, a company that has 


LG 
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PRODUCT 

Microsoft My Phone 

Available in beta form since May 19, 
Microsoft's free My Phone web service 
allows users of Windows Mobile 6.0+ 
phones to upload and synchronize 
phone contacts, calendars, photos, and 
text messages into a 200MB (per user) 
online storage space. I've been using 
the My Phone beta on a Samsung Black¬ 
jack II running Windows Mobile 6.1, and 
I've found it to be useful service, primar¬ 
ily for personal use. The My Phone ser¬ 
vice is still in development—so features 
could change without notice—but here 
are three of my favorites: 

Information backup: The My Phone 
service lets you synchronize and back 
up a variety of information on your 
phone to the cloud, including text mes¬ 
sages, contacts, calendar appointments, 
photos, videos, music, documents, and 
other information. However, Microsoft 
is positioning My Phone as a consumer 
service, so synchronization of calen¬ 
dars, contacts, and tasks won't happen 
if you've configured your phone to 
receive email via Microsoft Exchange. 

Data protection: I've never lost a 
mobile phone, but the fear of losing a 
device that contains all of my contacts, 
email, photos, and other important 


information gives me a case of indiges¬ 
tion. Thankfully, all that information can be 
backed up to the My Phone web service, 
which also makes it a snap to restore all of 
that information to a new Windows Mobile 
phone if I ever lost my current one. You can 
configure when the service backs up your 
information to the cloud, or you can accept 
the default settings and have it update 
automatically. This is my favorite My Phone 
feature, and I'm sure a lot of mobile phone 
users would agree with me. 

Online synchronization and file shar¬ 
ing: In addition to serving as an online 
repository for phone files, the My Phone 
service allows you to add, edit, and delete 
contacts and calendar appointments 
online by using the My Phone web tool. 
Changes made here can then be synced 
back to your phone, making it easy to keep 
both sets of data synchronized and con¬ 
sistent. Tighter integration with Windows 
Live (and Windows SkyDrive) would also be 
useful here. 

Given how far behind Microsoft is from 
Apple and RIM in the mobile OS user expe¬ 
rience and phone application store depart¬ 
ments, My Phone may find itself becoming 
a vital component of Microsoft's future 
mobile product strategy. 


Jeff James | jjames@windowsitpro.com 

Editor's Note: Send new product announcements to products@windowsitpro.com. 
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been offering hosted Exchange since 2000, 
has become the first hosted provider offer¬ 
ing the beta of Exchange 2010 to small- 
to-midsized businesses (SMBs) as a hosted 
service. You can complete an online appli¬ 
cation form at www.exchange2010beta. 
com for the beta program. Applications 
will be screened by the company, but there 
is no fee to participate. The Exchange 2010 
beta program is available through the end 
of September. 



V-Locity Defragments, Optimizes 
Virtual Machines 

Diskeeper has announced V-Locity, a 
product that addresses the need to take 
care of virtual machines (VMs) and their 
virtual hard drives. V-Locity defragments 
Hyper-V servers and VMs, but it does a lot 
more. According to Diskeeper's release 
about the product, it also "synchronizes the 
complex and ongoing activity between 
host and multiple guest operating systems" 
to improve performance. The product also 
reclaims space used by dynamically grow¬ 
ing virtual drives that don't shrink again 
when space is freed up. Visit 
www.diskeeper.com for more information. 



Acer Android Netbook in Q3 2009 

At press time, Acer promised an 
Android-powered Acer Aspire net- 
book in Q3 2009. The machine will, 
for all practical purposes, be the same 
hardware netbook, only with a different 
OS. It will likely cost less because Acer 
won't have to pay for Windows. While 
most users still prefer Windows XP for 
their netbooks, many industry watch¬ 
ers are predicting a rise in Linux-based 
operating systems (such as Android), 
because these netbooks will be able to 
use ARM-based processors to gain huge 
boosts in battery 
life. A handful of 
Android-equipped 
smartphones are 
also planned to 
release in late 
2009. 


Google Rains 
on Exchange 
Parade 

Google has 
announced Google 
Apps Sync for 
Microsoft Outlook, 

a Google Apps solu¬ 
tion that lets you 


run Outlook with Gmail. For the end users, 
the experience is the same—they will still 
have the familiar Outlook interface. For 
organizations, the cost savings are signifi¬ 
cant. However, the utility is still fairly prim¬ 
itive from a deployment perspective—you 
literally need to run the utility manually 
on each end-user desktop—but the end 
result will justify the effort for most small 
businesses. That is, you can replace an 
expensive Exchange server with a hosted 
Google solution. To learn more, visit www 
.google.com/apps/intl/en/business/ 
outlook_sync.html. ^ 
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Paul’s Picks 
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SUMMARIES of in-depth product reviews 
on Paul Thurrott's SuperSite for Windows 

Mozilla Firefox 3.5 

PROS New Private Browsing Mode catch¬ 
es up to similar IE 8.0 and Google Chrome 
functionality; better web-application 
performance; support for emerging HTML 
standards 

CONS: Still not as easily deployable by 
businesses as is Internet Explorer 

RATING: 

RECOMMENDATION: Mozilla's latest 
browser is its best yet. Mozilla Firefox 3.5 is 
a rock-solid, highly-capable alternative to 
Microsoft Internet Explorer.The browser's 
main strengths—extensibility, compatibility, 
and performance—continue in Firefox 3.5 
and are augmented with improvements. 

One minor downside: Mozilla still doesn't 
support corporate deployments as seam¬ 
lessly as does Microsoft. 

CONTACT Mozilla •www.mozilla.com 

DISCUSSION: www.winsupersite.com/alt/ 
firefox35.asp 


Windows 7 E Editions 

PROS, Full version will be available at 
Upgrade prices at least through the end of 
2009 

CONS No Internet Explorer; product design 
affected by misguided antitrust regulators 
in Europe 


RATING: ♦♦ 


RECOMMENDATION: Microsoft's 
decision to perform an end-run around 
European Union (EU) antitrust regulators by 
exorcising IE from the versions of Windows 7 
sold there was a good one, but it does leave 
customers in the lurch. Businesses that want 
IE in Europe will be able to deploy it easily 
enough, but those who install Windows 7 
in Europe on their own PCs will have more 
work to do. The silver lining? Full versions 
of Windows 7 will be available for Upgrade 
prices at least through the end of 2009. 

CONTACT Microsoft • 800-426-9400 • 
www.microsoft.com 

DISCUSSION: www.winsupersite.com/ 
win7/e_preview.asp 
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Sun VirtualBox 3.0 


When it comes to desktop virtualization 
software, VMware Workstation (for the PC) 
and VMware Fusion / Parallels Desktop (for 
the Mac) tend to get the most attention. All 
three products work well, but they're not 
the only games in town. VirtualBox 3.0 from 
Sun Microsystems does most of what these 
packages can do, but has one big advan¬ 
tage over them: It's free for personal use. 

Virtualization on the Cheap 

Like those other products, VirtualBox 3.0 is 
a desktop virtual machine (VM) application 
using a "Type 2" hypervisor that requires 
a compatible host OS (Linux, Windows, 
Macintosh, or OpenSolaris) and x86-based 
computer hardware to function. Using Vir¬ 
tualBox, you can create guest VMs that use 
a different OS than your host. I created VMs 
running Windows 7 RC, Windows XP SP3, 
and Ubuntu 8.10, but VirtualBox also sup¬ 
ports a huge variety of guest OSs; you can 
find a full list of supported guest OSs on the 
VirtualBox website at www.virtualbox.org/ 
wiki/Guest_OSes. 

Creating a VM is a snap, thanks to a 
VM creation wizard that takes you step- 
by-step through the VM creation process. 
Using drop-down menus and sliders you 
can select your guest OS, choose your base 
memory size, and create a new virtual hard 
disk image to boot your VM from. 

VirtualBox 3.0 does bring some new 
features to the table, namely: improved 
3D support for Windows guests running 
Direct 3D 8/9 games and applications; and 
OpenGL 2.0 support for Solaris, Linux, and 
Windows guests. Guest SMP with support 
for up to 32 virtual CPUs has also been 
added, but only if you're running Intel or 
AMD processors with VT-x and AMD-V sup¬ 
port, respectively. VirtualBox 3 also provides 
support for USB 1.1/2.0, USB over RDP, serial 
ATA controllers, and RDP servers. 

Usability and Performance 

From a usability and performance perspec¬ 
tive, VirtualBox 3.0 works like a charm. A 


new mini toolbar for full-screen and seam¬ 
less modes makes it even easier to switch 
between VMs, which is handy if you're deal¬ 
ing with more than one or two VMs. During 
testing, Windows 7 RC and Ubuntu 8.10 
seemed to run at full speed when running 
client-side apps such as OpenOffice.org 3.0 
and Firefox. I didn't get the opportunity to 
test VirtualBox 3.0 in a heavy load environ¬ 
ment, but the performance seems on par 
(if not a bit faster) than similar testing I've 
done with VMware Workstation. 

So what does VirtualBox 3.0 lack? Sun 
uses what it calls "Guest Additions" to 
add additional functionality to Linux and 
Windows VMs; support for Windows 9X 
OSs in this department is limited. Cutting 
and pasting between VMs isn't supported, 
and the ability to flip between different VM 
states appears limited when compared with 
VMware Workstation. 

Despite my quibbles, Sun VirtualBox 3.0 
is an impressive product with an unbeatable 
price tag. It's a perfect solution for quickly 
creating dev and test environments. For 
those reasons (and more) VirtualBox 3.0 
earns a hearty thumbs up from me. ^ 

InstantDoc ID 102482 

Sun VirtualBox 3.0 

PROS: Broad support for multiple OSs; excel¬ 
lent performance; feature list is competitive with 
more expensive offerings from VMware and 
Parallels; it's free! 

CONS: 3D support works, but needs improve¬ 
ment; missing some features (such as branch 
snapshots and cut and paste between VMs) that 
other products offer; some IT shops may prefer 
vendors with more traditional support offerings. 

RATING: 

PRICE: Free 

RECOMMENDATION: Don't let the lack of 
a price tag dissuade you from taking a serious 
look at VirtualBox 3.0, as it competes well with 
far pricier offerings from VMware and Parallels. 
Sometimes the best things in life truly are free, 
and VirtualBox 3.0 is one of them. 

CONTACT: Sun • www.virtualbox.org 
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HP LeftHand P4300 4.8TB SAS Starter SAN Solution 


The HP LeftHand P4300 4.8TB SAS Starter 
SAN Solution is a feature rich, highly scal¬ 
able, highly available storage platform for 
medium and large businesses. Well known 
for its entry-level SAN products, LeftHand 
Networks was acquired by HP in February 
2009. This SAN solution couples HP's storage 
hardware with LeftHand Networks' SAN/iQ 
management software. 

The HP LeftHand SAN Solution that I 
tested was delivered as two 2U nodes. These 
units were equipped with 5.4TB rather than 
4.8TB, but otherwise they were exactly like 
the units you'd receive. Each node came 
configured with a dozen 450GB 15K Serial 
Attached SCSI (SAS) drives, two front USB 
ports, two rear USB ports, dual hot-swap 
power supplies, dual 1GB network adapters, 
one 1GB NIC management port, PS/2-style 
mouse and keyboard ports, a VGA port, a 
serial port, and a rear-mounted DVD drive. 

Setting Up and Configuring 

Setting up the units couldn't have been eas¬ 
ier. I racked each 2U node, then attached my 
keyboard, mouse, and monitor to the ports 
on the back of each unit. When each node 
powered up, it presented a simple character- 
based display that let me enter the basic net¬ 
working information for each network port. 

After configuring the networking infor¬ 
mation, I installed the SAN/iQ management 
software on a network workstation and con¬ 
nected it to the SAN. The SAN/iQ software 
really sets this product in a class by itself and 
is the easiest SAN management software I've 
ever used. You don't need to be a storage 
expert or have to look up confusing storage 
terms like LUN Masking to configure the SAN. 
Instead, you use a series of easy-to-use wiz¬ 
ards to perform the initial setup and configu¬ 
ration. You can rerun the wizards at any time. 

Managing the SAN 

You can manage the SAN directly using the 
LeftHand Networks Centralized Manage¬ 
ment Console, which Figure 1 shows. You 
navigate through the nodes in the console's 
left pane and set the properties in the right 
pane. The console is easy to use and does 
a great job of simplifying the SAN manage¬ 
ment experience. 
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Figure 1: Using the LeftHand Networks Centralized Management Console to manage SANs 


Ease of administration is only half the 
story behind the SAN/iQ software. Its built- 
in scaling and availability capabilities are 
equally important. Creating a highly avail¬ 
able implementation is as easy as cabling 
and powering up additional nodes, then run¬ 
ning a wizard to add them to your storage 
group. You can add up to 30 nodes. The Vir¬ 
tual IP Load Balancing feature automatically 
distributes data across all storage modules in 
the cluster. The SAN/iQ software aggregates 
the available capacity and presents it to the 
clients using a virtual IP address. 

For data protection, you can use the 
Network Raid feature to control the degree 
of data redundancy. The default level is 
two, which means two copies of the data 
will be kept for each volume. Volumes can 
have different Network Raid levels. Network 
Raid distributes the data to all nodes so that 
the system is always load balanced. Other 
notable features include SmartClone Vol¬ 
umes (which significantly reduce data stor¬ 
age for cloned volumes), local and remote 
snapshots, multisite replication, and Remote 
Copy (which provides centralized backup 
and recovery). 

The Bottom Line 

I tested the SAN solution with a regular 
Windows file share, with a Windows failover 
cluster, and with Cluster Shared Volume 
(CSV) for Hyper-V Live Migration. The setup 


was easy and the SAN worked flawlessly for 
each tested scenario. I was able to moni¬ 
tor all aspects of the SAN's performance, 
including CPU, network and storage utiliza¬ 
tion, total throughput, I/O operations per 
second (IOPS), and average I/O size. The 
only problem I ran into was that occasion¬ 
ally the console wouldn't start and I needed 
to terminate thejavaw.exe process in Task 
Manager before restarting the console. 

The HP LeftHand SAN Solution starts 
at $35,000, putting it out of reach for most 
small businesses. However, this price makes 
it very competitive with other storage offer¬ 
ings for medium and large businesses. I 
found this SAN solution to be very easy to 
use. Its ability to add capacity by stacking 
up to 30 nodes makes it highly scalable. 

Plus, it includes all the SAN/iQ features right 

out of the box, with nothing extra to buy.^ 

InstantDoc ID 102478 

HP LeftHand P4300 4.8TB SAS 
Starter SAN Solution 

PROS: Excellent scalability, availability, and 
manageability 

CONS: Expensive for a small business 

RATING: ♦♦♦♦♦ 

PRICE: Starts at $35,000 

RECOMMENDATION: If you're in the market 
for a midrange SAN with enterprise scalability, 
this SAN solution should go straight to the top 
of your list. 

CONTACT: HP • www.hp.com 
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COMPARATIVE 


REVIEW ■ 


VMw« „e Fusion.vs. 

Parallels Desktop 



A ccording to some of our own reader surveys, more than 
60 percent of our audience regularly has to manage Linux, 
Macintosh, and other non-Windows platforms in their 
IT environments. Getting all those disparate platforms to 
coexist peacefully within a Windows shop has historically 
been somewhat of a challenge, but the advent of virtual¬ 
ization technology has improved that situation dramatically over the 
past few years. 

That's why we decided to take a look at VMware 
Fusion and Parallels Desktop, the two leading 
commercial virtualization products for the 
Apple Macintosh. Just about every IT pro has 
had to work with Macintosh computers in the 
office, as they are the platform of choice for many design¬ 
ers, artists, and creative directors, including the office here at Windows 
IT Pro: All of our art and production teams use Macs to publish our 
magazine every month. 

Using either of these products, you can give Mac users access to 
essential Windows- or Linux-based based applications and ease integra¬ 
tion and improve interoperability with your existing infrastructure. In 
order to find out which product was better, I tested VMware Fusion 2.0 
and Parallels Desktop 4.0 on a MacBoolc Pro equipped with a 2.53GHz 
Intel Core Duo Processor, 4GB of RAM, a 300GB hard drive, and the 
nVidia GeForce 9400m graphics chipset. 


VMware Fusion 2.0 


Two different 
approaches to 
virtualizing 
Windows on 
the Mac 


by Jeff James 


VMware is a relative newcomer to the Mac virtualization scene, but has 
already made a significant impact. VMware has more than a decade of 
x86 virtualization experience, so when Apple moved to Intel processors 
for the Macintosh family, VMware saw an opportunity to bring their 
expertise to the Macintosh market, and VMware Fusion was born. 

Installation. I found installing VMware Fusion to be very easy and 
intuitive, and I was ready to create my first Windows XP virtual machine 
(VM) in about 30 minutes. VMware Fusion can also import your Win¬ 
dows settings from Boot Camp, which could be a benefit for users who 
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are accustomed to using Apple's multi-boot 
feature. 

Configuration and use. To test Paral¬ 
lels Desktop and VMware Fusion, I created 
a Windows XP VM with 512MB of RAM, a 
60GB hard drive, and enabled 3D hardware 
acceleration. I then installed Windows XP 
SP3, along with the PC versions of Open- 
Office 3.0, Microsoft Office 2007, and a few 
other applications and utilities. 

Like Parallels Desktop, Vmware Fusion 
has a feature that lets you run Windows 
applications in a self-contained Windows 
on the Mac desktop, as Figure 1 shows. 
VMware calls their windowing functionality 
Unity, whereas Parallels calls theirs Coher¬ 
ence. It may seem like a minor feature, but 
it does help hide some of the complexity of 
the guest OS from the user. For example, if 
you want a Mac user to have access only to 
a specific Windows application rather than 
the entire OS, Unity (and Coherence) can 
make that happen. 

I spent a few hours loading, editing, and 
saving a variety of Office documents, and 
they loaded and ran without any obvious 
performance problems. VMware Fusion 
did seem to run those apps a tad slower 
than Parallels Desktop, but I didn't see too 


much of a difference between them for light 
office work. Running macros on larger Excel 
spreadsheets (and for other more disk- and 
processor-intensive tasks) seemed a bit 
more noticeable, with Parallels narrowly 
emerging as the speed champ. 

VMware Fusion does support more than 
60 varieties of guest OSs, which could be 
useful if you have a specific Linux distribu¬ 
tion you're trying to run. VMware's phone 
and email support both cost money; larger 
businesses have additional support pricing 
and options to choose from, but the extra 
cost of VMware support may be an issue for 
smaller businesses. 


VMware Fusion 2.0 

PROS: Excellent integration with other VMware 
products; polished interface and painless installa¬ 
tion; impressive number of supported guest OSs 

CONS: Support can be expensive; overall VM 
performance was slightly behind Parallels; 3D/ 
OpenGL support not as robust 

RATING: ♦♦♦♦O 

PRICE: $79.95 

RECOMMENDATION: VMware Fusion is your 
best option if you've invested heavily in other 


VMware virtualization products, but Parallels 
Desktop wins by a nose. 

CONTACT: VMware • 877-486-9273 • 
www.vmware.com 

Parallels Desktop 4.0 

Parallels has been providing virtualization 
products on the Mac for several years, and 
Parallels Desktop 4.0 in the latest product 
in that long legacy. Despite some early 
reliability problems with the initial 4.0 
product release (see www.windowsitpro 
.com, InstantDoc ID 100916), the version of 
Parallels Desktop I tested ran without any 
problems. 

Installation. Parallels Desktop was just 
about as easy to install as VMware Fusion 
was, and the installation time was roughly 
similar: I was ready to create my first VM in 
a little over 30 minutes. 

Configuration and use. Using Parallels 
Desktop, I also created a Windows XP VM 
with 512MB of RAM, a 60GB hard drive, and 
enabled 3D acceleration (see Figure 2). 
Parallels Desktop provides more flexibility 
over your 3D acceleration configuration 
than VMware Fusion does, and also sup¬ 
ports OpenGL 2.0. That could make Paral¬ 
lels Desktop a better option if you need to 



Figure 1: Using VMware Fusion 2.0 to run Windows on a Mac 
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Figure 2: Using Parallels Desktop 4.0 to run Windows XP on a Mac 
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support Windows apps that require a specific 
video memory size or OpenGL support. 

Like VMware Fusion, Parallels Desktop 
ran all the Windows applications in my test 
without any problems. Parallels Desktop did 
seem a bit faster when working with larger 
files or more complex documents. Parallels 
Desktop 4.0 is also bundled with a num¬ 
ber of other Windows applications at no 
additional charge, including Acronis True 
Image Home backup and restore, Acronis 
Disk Director Suite disk management, and 
security software by Kaspersky. Free email 
technical support is provided, and paid 
telephone support is also available. 


Parallels Desktop 4.0 


PROS: Slightly faster VM per¬ 
formance; robust OpenGL and 
3D accelerator support; less 
expensive support options; bun¬ 
dled software provides a great value 




m 


CONS: Comparatively limited number of sup¬ 
ported guest OSs; initial 4.0 release had some 


reliability problems; installation and user experi¬ 
ence not quite as polished as VMware Fusion 

RATING: 

PRICE: $79.95 

RECOMMENDATION: Parallels Desktop has 
improved mightily over the past few years, and 
this latest version is the best yet. 

CONTACT: Parallels • 425-282-6448 • 
www.parallels.com 

Two Excellent Products, One Hard 
Decision 

Both VMware Fusion 2.0 and Parallels 
Desktop 4.0 work as advertised, and I ; d 
heartily recommend either of these prod¬ 
ucts to any Mac user who needs to run 
Windows, Linux, or any other supported 
OSs for business or personal use. In the 
final analysis, however, I felt that Parallels 
Desktop was the superior product, but 
only by the narrowest of margins. Paral¬ 
lels Desktop seemed a bit faster with just 
about every task I threw at it, the bundled 
Windows apps make it a nice value, and 
the less expensive support options could 


make it a cheaper options for SMBs. That 
said, if you've invested heavily in other 
VMware products in your enterprise, 
VMware Fusion would be the best choice, 
as Fusion VMs can easily be migrated to 
other VMware products such as ESX Server 
and VMware Workstation. 

Like the Camaro and the Mustang, Pepsi 
and Coke, the Red Sox and the Yankees, the 
intense competition between VMware and 
Parallels is good news for consumers. I'd 
expect both companies to keep improving 
their products in the months and years to 
come, which should make life easier for 
IT admins tasked with managing multiple 
platforms. ^ 

InstantDoc ID 102578 



JEFF JAMES 

(jjames@windowsitpro.com) is 
Editor-in-Chief, Web Content 
Strategist for Penton Media's IT 
Publishing Group. He special¬ 
izes in server operating systems, 
systems management, and server 
virtualization. 



V 

We would 
never tell a lie... 


... but we've been caught 
bragging now and then. 


That's why we're going to let our readers tell you 
why Windows IT Pro is the top independent 
publication and Web site in the IT industry. 

o, direct from our readers' mouths (yes—really)! 

M "The best windows environment magazine around—BAR NONE!!" 

—Joe A. Chief, Technical Section 


"No other magazine consistently provides timely, relative information 
that I can use in my everyday systems administration and systems 
engineering roles. Windows IT Pro magazine has provided me with a 
wealth of information for over 10 years." 

—GaryT. Systems Specialist 

"Lots of unique information using real-world scenarios" 

—B. P. Senior Systems Analyst 

"The only magazine I get in print, so if I'm busy, I can read the issue later. 
This is one I never miss reading an issue." 

—R. Z. VP Microsoft Practice 


Bft ddlrt take our word for it! Read our magazine 
or check out our web site today! Keep the discussions 
going by posting blogs, commentary, videos and more. 

^ ■* '* www.windowsitpro.com 
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ANTIVIRUS 

APPLIANCES 

for Windows Networks 


Stop 

ma ware in 
its tracks 


by Lavon Peters 

H ere's a scary thought: More than 80 percent of the 
email messages coming through your company are 
spam. And many of those messages aren't merely 
"junk mail"—they actually contain viruses or other 
types of malware. In fact, email is the number-one 
delivery mechanism for malware. 

Scores of antispam and antivirus software products exist, and 
many organizations rely only on software for their antivirus protec¬ 
tion. However, keeping the software up-to-date on all the systems 
in your network can be extremely time consuming. In addition, 
software can degrade system performance if not implemented cor¬ 
rectly. 

An antivirus hardware device can provide a first line of defense 
against spam and malware. This Buyer's Guide highlights several 
antivirus appliances for Windows networks. 

How Antivirus Appliances Work 

Antivirus appliances are installed at the network perimeter and 
scan web and email traffic, often continuously. Predefined rules 
(e.g., whitelists, blacklists, heuristic analysis) let the appliance easily 
detect viruses and malicious file downloads. Suspicious web activi¬ 
ties such as spyware and adware downloads typically generate a 
warning, whereas suspicious email can be deleted or marked as 
possible spam. 

Virus definitions and whitelists/blacklists are updated frequently 
to ensure that the appliance has the most current virus signature files 
and is detecting the latest threats. Updates typically occur automati¬ 
cally and can be continuous or scheduled. 

Alerts are recorded in the event logs and can also be sent via 
email or as HTML, CSV, XML, PDF, or plain text files. Most antivirus 
appliances offer web-based management; a few also provide an 
integrated console that lets you manage virus filtering, cleaning, 
updates, and reporting options. 

Selecting an Appliance 

In selecting an antivirus appliance for your environment, the main 


consideration is often price—especially in these tough economic 
times. However, you also need to balance the performance provided 
by the device. You'll want to consider the appliance's throughput, 
as well as its storage capacity. Another factor to take into account 
is how many users or email accounts the device supports. Finally, 
you might want to consider the reputation of the company behind 
the appliance, including the support provided and the likelihood of 
the company to stay in business for the duration of the appliance's 
lifespan. 

Another Alternative: Hosted Services 

An alternative to using antivirus software or an appliance is to install 
a hosted antivirus service on your network. Hosted services can 
run in the cloud and require very little overhead in many cases. No 
hardware or software is necessary. In addition, there is nothing to 
maintain or upgrade. The service provider takes care of all updates 
and maintenance. 

The price for hosted services typically depends on the number of 
users you need to support. Therefore, hosted antivirus services are 
best implemented in smaller organizations, with 100 employees or 
fewer. The cost can be prohibitive in larger environments. 

First Line of Defense 

Antivirus software can be expensive and time consuming to keep 
updated, and hosted antivirus services can be cost prohibitive. You 
should therefore look into an antivirus appliance for your network— 
at least as a first line of defense. An antivirus appliance can cost less 
than $1 per user, requires little to no upkeep, and provides immea¬ 
surable protection against the spam and malicious applications that 
can plague your systems. See the accompanying table for a guide to 
several antivirus appliances for Windows networks. 

InstantDoc ID 102501 
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Company 

Product 

Price 

Form Factor 

Standalone/ 

Rack-Mounted 

Number of Users 
Supported 

Storage 

Capacity 

Abaca Technology 

408-571-6400 

877-462-2222 

www.abaca.com 

Abaca Email Protection 
Gateway 1000 

$3,495 

1U 

Rack-mounted 

1,500 

250GB 


Abaca Email Protection 
Gateway 3000 

$6,495 

1U 

Rack-mounted 

4,000 

250GB 

Axway (formerly 

Tumbleweed 

Communications) 

480-627-1800 

877-564-7700 

www.axway.com 

MailGate 3.7 

Starts at $5,700 
for 50 users 

1U and 2U 

Rack-mounted 

Unlimited 

146GB to 

900GB 

Barracuda Networks 

408-342-5400 

888-268-4772 

www.barracuda 

networks.com 

Barracuda Spam & Virus 
Firewall 100-1000 

$699 to 
$89,999 

Models 

100-600, 

1U; models 
800-1000, 

2U 

Rack-mounted 

100,000 

8GB to 

512GB 

Cisco Systems 

650-989-6500 

877-641-4766 

www.ironport.com 

Cisco IronPort C-Series Email 
Security Appliance 

Starts at $6,950 

1U and 2U 

Rack-mounted 

10,000+ 

70GB 

Cisco IronPort S-Series Web 
Security Appliance 

Starts at $7,000 
for 250 users 

1U and 2U 

Rack-mounted 

SI 60: up to 1,000; 
S360:1,000 to 5,000; 
5660: 20,000+ 

1.8TB 

Excelerate Software 

949-218-3337 

800-413-2251 

www.exceleratesoftware.com 

SpamGate 3 

Starts at $1,295 

1U 

Rack-mounted 

10 to 3,000 

160GB 

Fortinet 

408-235-7700 

www.fortinet.com 

FortiMail 

From $1,495 to 
$38,875 

1U and 2U 

Rack-mounted 

Unlimited 

250GB 
to 6TB 

MailFoundry 

920-431-6966 

888-302-6245 

www.mailfoundry.com 

MailFoundry 1150 

$1,299 

1U 

Rack-mounted 

200 

250GB 

Panda Security 

818-543-6901 

www.pandasecurity.com 

Panda GateDefender 

Performa 

Starts at 2,980€ 

1U 

Rack-mounted 

2,500 

75GB to 

250GB 


Panda GateDefender 

Integra 300 

Starts at 2,900€ 

1U 

Rack-mounted 

250 

80GB 


Panda GateDefender 

Integra SB 

Starts at 990€ 

Desktop 

format 

Standalone 

50 

80GB 

Red Condor 

707-285-4100 

888-966-7726 

www.redcondor.com 

Message Assurance Gateway 
(MAG) 2000, 2500, 2600, 

2700, 3000,4000 

$1,499 to 
$16,999 

1U and 2U 

Rack-mounted 

500 to 20,000 

80GB to 

1TB 

Sophos 

781-494-5800 

866-866-2802 

www.sophos.com 

Sophos Web Security and 
Control 

$2,495 

1U 

Rack-mounted 

15,000 

1TB 

Vircom 

514-845-1666 

888-484-7266 

www.vircom.com 

modusGate 4.7 

Starts at $1,500 

1U and 2U 

Rack-mounted 

100,000 

1TB+ 

WatchGuard Technologies 

Firebox X550e 

$1,299 

1U 

Rack-mounted 

100 

N/A 


206-613-6600 

800-734-9905 

www.watchguard.com 

Editor's Note: All the information in this Buyer's Guide is supplied by vendors. Some vendors you might expectto see in this Buyer's Guide either didn't have a product 
that matched the criteria for the Buyer's Guide or didn't respond to our requests for product information. 
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Type of Scan 

Frequency of 
Scans 

Type of 
Update 

Frequency 
of Updates 

Management Interface 

Type of Reporting 

Whitelist, blacklist, heuristics, auto¬ 
matic detection 

Continuous 

Automatic 

Continuous 

Web-based management 

FITML, email, event 
logs 

Whitelist, blacklist, heuristics, auto¬ 
matic detection 

Continuous 

Automatic 

Continuous 

Web-based management 

HTML, email, event 
logs 

Whitelist, blacklist, heuristics 

Continuous 

Automatic 

Hourly 

Integrated console, web-based man¬ 
agement 

CSV, XML, event logs, 
SQL 

Whitelist, blacklist, heuristics, 
predictive sender profiling 

Hourly 

Automatic 

Hourly 

Web-based management 

HTML, CSV, email, 
event logs, SYSLOG 

IronPort Reputation Filtering via 
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INSIGHTS FROM THE INDUSTRY 


Securing Data: What Tokenization Does 


If you ever watched Star Trek, you soon 
learned Dr. McCoy's signature line: "Dam¬ 
mit, Jim, I'm a doctor, not a [insert a more 
useful occupation for the crisis at hand]." In 
the Payment Card Industry (PCI), it appears 
companies are doing a riff on Bones'signa¬ 
ture line: "I'm a merchant, Jim, not a secu¬ 
rity expert!" So why are we surprised when 
we hear about the latest data breach? 

Not that there aren't penalties for los¬ 
ing data. A company can be fined by the 
credit card companies for a violation and 
even lose its credit-card taking privileges. 
High stakes, but companies also face the 
cost of storing, managing, and monitoring 
encrypted data and being audited by PCI- 
certified auditors, all of which adds com¬ 
plexity and takes away profit. 

A solution that's relatively new to the 
market, tokenization, offers potential over 
the de facto standard, encryption. But even 
the PCI's standards committee can't decide 
which defense is best to use to keep credit 
card data safe. 

"There are too many changes in IT hap¬ 
pening too quickly for an organization to 
wait for a standards committee to issue a 
clear pronouncement on each of them," 
says David Taylor, a former e-commerce 
analyst with Gartner and research director 
of the PCI Alliance, in "Data Security Slug- 
fest: Tokenization Vs End-to-End Encryp¬ 
tion" (http://ti nyu rl .co m/cfw8f3). 

"Rather, I would suggest that retail¬ 
ers begin now to investigate the value of 
these technologies, especially tokenization 


and end-to-end encryption, to determine 
where one or the other, or both of them, 
can be used...." His explanation of why 
encryption alone doesn't work is useful. 

At The Falcon's View blog, BenTomhave 
shares his frustrations about his search for 
data security solutions in "Does Tokeniza¬ 
tion Solve Anything?" (tinyurl.com/nydjhd). 
"To me, the solution here is to get the data 
out of the hands of the merchants. If the 
merchants don't have the cardholder data, 
then you don't need to worry (as much) 
about them getting compromised."Tokeni- 
zation, he admits, can do just that, but he 
still sees problems with it. 

Even the PCI's 
standards 
committee can't 
decide which 
defense is best to 
use to keep credit 
card data safe. 

To sort through the confusion, I'd like to 
point to an interview several Penton edi¬ 
tors did with Gartner analyst John Pesca- 
tore. He explained how tokenization came 
about: "A lot of pretty big companies don't 


have credit card payment as a big part of 
their business, but they have the PCI secu¬ 
rity requirement even for the small amount 
of payment processing they do. And they 
thought encrypting and other PCI security 
requirements were too complicated, so 
they outsourced the payment processing 
so they'd never store the card data, just a 
token. 

"These companies could get full access 
to the transaction data, but the outsourced 
payment processor sends it to them with¬ 
out the card data. This idea of tokenization 
and masking started with these 
outsourcers. 

"Now enterprises who either can't or 
don't want to outsource payment process¬ 
ing can do it themselves with tokenization. 
However, outsourced payment processors 
do have to get certified as PCI compliant. 

"Taking this approach, companies can 
keep their sensitive data in one database 
and use tokenization for other applications 
that need to look up credit card related 
data, thereby reducing the odds of a data 
breach. What's more important to most 
enterprises, however, is that now all those 
servers on which they used to store the 
sensitive data are no longer part of the 
PCI audit, because the only systems in the 
scope of the PCI audit are the systems that 
store and process the sensitive data. 

"So what tokenization really does is 
limit the scope of the PCI audit, which 
reduces the cost of the audit and the cost 
of dealing with the audit." 

Pescatore had some other interesting 
things to say about tokenization, as well as 
whether it could be used for securing other 
types of data. To read the interview with 
him, check out my colleague Linda Harty's 
write-up at the System iNetwork blog 
(tinyurl.com/puwuwn). ^ 

—Caroline Marwitz 
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Intel Signs Agreement with Nokia 


Intel and Nokia announced an agreement 
to develop a new class of Intel-based 
mobile computing device and chipset 
architectures. Intel sees the agreement as 
a much-needed endorsement of its Atom 
chipset and its applicability to mobile 
computing. 

Adam Leach, device principal analyst 
at Ovum, said, "Since Intel's launch of its 
Atom family of processors, it has made 
no secret that it intends to make a serious 
play in mobile. The company hopes that 
taking a slice of the mobile device market 
will provide an engine for growth outside 
of its traditional PC and server markets." 

Nokia sees the agreement as an oppor¬ 
tunity to explore new types of mobile 
broadband devices and ensure that its 
smartphone offerings aren't sidelined 
by manufacturers entering from the PC 
market. This is also an opportunity for 
both companies to align their software 
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platforms and create a compelling open- 
source platform that could rival today's 
smartphone and netbook platforms. 

Leach said, "The two companies have 
agreed to cooperate on key open-source 
projects and use these common tech¬ 
nologies in Moblin (Intel's Linux-based 
software platform for Atom) and Maemo 
(Nokia's Linux-based software platform 
for its Internet Tablet products). This is 
good for Nokia as its platform will become 
more suited for the growing segment of 
mobile Internet devices and netbooks; 
good for Intel as its platform will become 
more suited for smaller mobile devices 
and good news for developers as it will, to 
an extent, reduce fragmentation in Linux- 
based devices. However, the real opportu¬ 
nity here is for Nokia and Intel to combine 
their efforts and back a single Linux-based 
platform for mobile devices. This could 
provide device vendors with a credible 

open alternative to exist¬ 
ing smartphone and 
netbook platforms." 

However, Intel—not 
to remain a niche player 
in the mobile market— 
still must prove that its 
Atom-based chipsets 
can compete with ARM- 
based alternatives on 
low-power performance. 
The current family of 
Atom chipsets isn't suit¬ 
able for use in handsets, 


I 


so Intel has developed a new market 
segment for larger form-factor mobile 
Internet devices (MIDs) positioned above 
smartphones and below notebooks. To 
reach further down into the volume part 

Intel must prove 
that its Atom-based 
chipsets can 
compete with 
ARM-based 
alternatives on 
ow-power 
performance. 


of the mobile market and start reaching 
the expanding high-end smartphone seg¬ 
ment, Intel needs to produce a chipset 
that can match the power/performance 
ratio of processors based on the designs 
of ARM. This announcement is a sign that 
at least Nokia believes that Intel's road¬ 
map is credible and that the company can, 
in time, provide a competitive offering 
against ARM-based alternatives. 

—Jason Bovberg 

InstantDoc ID 102359 
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Symantec Tackles a Struggling Economy with Managed 
Backup Services 


"We're all working in an IT atmosphere 
that's demanding,'Do more with less'"said 
Grant Geyer, VP of Managed Services at 
Symantec. "We're dealing with the specters 
of extreme cost control and outsourcing. 
Budgets are shrinking, and so are work¬ 
forces." 

And yet today's IT organizations are 
required to manage enterprise data- 
protection solutions that meet demanding 
service level agreements (SLAs) and data- 
recovery objectives—regardless of budgets 
and resources. The growing complexity 
and cost of enterprise data protection 
operations, combined with a shortage of 
qualified personnel, have compounded the 
challenge of effectively managing these 
critical environments on an ongoing basis. 


Symantec Managed Backup Services 
enable enterprises to reduce operational 
costs, manage risks, and meet their SLAs 
with confidence—all by outsourcing their 
key backup and recovery functions to 
Symantec's data-protection experts. 

Managed Backup Services provide com¬ 
prehensive management of your backup 
and recovery operations under strict SLAs, 
allowing you to focus on your core busi¬ 
ness priorities while retaining ownership of 
your backup technology. Geyer said, "There 
are three tiers of management support: The 
Silver tier is 8 hours a day, 7 days a week; 
the Gold tier is 16 hours a day, 7 days a 
week; and the Platinum tier is 24 hours a 
day, 7 days a week." 

The Symantec Managed Backup Ser¬ 


vice begins with an initial assessment of 
your current backup environment to pro¬ 
vide recommendations for optimization of 
your backup operations and infrastructure 
and to determine your ROI for moving to a 
managed service. A transition process and 
plan is subsequently developed specific to 
your existing people, processes, and tech¬ 
nology. The service is then run according 
to agreed SLAs including backup and 
recovery success rates. And because the 
data stays on your assets in your data 
centers, there is no'lock-in'agreement 
impacting recovery of your data in the 
long-term. 

Symantec Managed Backup Services 
combine local management—on-site or 
off-site—with remote, round-the-clock 
monitoring, incident management, 
performance of restore requests, plan¬ 
ning and optimization assistance, and 
regular reporting. Incidents are addressed 
in a timely manner using your existing 
storage-management queue with supple¬ 
mental root-cause analysis performed on 
high-impact problems. Symantec's local 
technical expert plans and optimizes 
operations from change-management 
monitoring to patch management, 
domain client configuration alterations, 
and storage-capacity forecasting. Day- 
to-day operations are supervised by 
your Service Delivery Manager, who also 
provides a centralized and transparent 
view of your operations through daily 
and monthly reports summarizing SLAs, 
storage capacity, and key issues identified 
during the period. 

"Managed Backup Services promises 
15-20 percent cost savings for the average 
enterprise," said Geyer. "The sweet spot is 
the large enterprise, but the solution scales 
nicely to SMBs." 

For more information, visit www 
.symantec.com and select Business/ 
Services/Managed Backup Services. ^ 

—Jason Bovberg 

InstantDoc ID 102032 
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■CTRL+ALT+DEL 


by Jason Bovberg 


LOTTA 


In the wake of Microsoft's recent, successful launch of its Bing "decision engine," 
we got to thinking about other Bings around the world. We even got letters 
from readers who also experienced a little deja vu when they heard the name 
Bing. Perhaps it's all part of Microsoft's grand plan to get Bing tripping effort¬ 
lessly off the tongues of its users, but we're coming up with all kinds of Bings. 
How about you? 


?/Y»J 

-r Jiop m Germany 


1. Australian Bing Mail Portal (bingmail.com.au); 2. Twin Bing candy bar; 

3. Bing Barbershop in Germany (www.barbershop.de/en/news); 4. Bing Cherries; 
5. Bada Bing! Club from The Sopranos; 6. Bing Crosby; 7. Bing Cola. 
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The configurable Command Center puts all the 
information you need in one place. Manage individual 
agents, quarantines, threats, and more. 
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How does your current software compare? 

VIPRE Enterprise scans at a brisk 13.95 MB/sec and 
uses just 27% of CPU and 50 MB of RAM. In idle, it 
uses a mere 13.3 MB RAM with a disk footprint of just 
113 MB. You'll hardly notice it's running! 



Sunbelt Software 


Until now, antivirus engines have been Frankensteins, bolted 
together from bits and pieces of different products. They're slow, full 
of bugs, and hard to manage. 

VIPRE Enterprise is a revolutionary new approach. It's built from scratch 
as the all-in-one antivirus, antispyware, anti-rootkit solution that gives 
you complete endpoint malware protection without hogging 
resources! It's fast, powerful, and easy. 

Plus, advanced anti-malware technology protects your system against 
the new wave of malware threats. No more juggling multiple programs. 
No more dealing with user complaints about slow workstation 
performance. 

• COMPLETE! All-in-one protection from today's malware. 

• FAST! High-performance and low impact on system resources. 

• EASY! Manage everything easily from one command screen. 

• RELIABLE! Configurable, real-time monitoring technology. 

• AFFORDABLE! Low $10 per seat pricing to save you money. 

Why struggle with slow resource hogs when you can manage ALL your 
malware threats with one fast, easy application? 

Curious? Download your FREE copy of VIPRE Enterprise and give it a 
test drive. 

When you compare VIPRE Enterprise to Symantec, McAfee, Trend Micro 
or whatever antivirus program you're using, you WILL want to switch! 
Don't worry, though.You can get VIPRE Enterprise at our competitive 
upgrade price of only $10 per seat! 


Download VIPRE Enterprise today and get your own home version of VIPRE to keep FREE as our gift to you! 

www.TestDriveVipre.com 

Sunbelt Software Tel: 1-888-688-8457 or 1-727-562-0101 Fax:1-727-562-5199 www.SunbeltSoftware.com sales@sunbeltsoftware.com 

© 2009 Sunbelt Software. All rights reserved. VIPRE Enterprise is a trademark of Sunbelt Software. All trademarks used are owned by their respective owners. 

New licenses are available for $10/seat up to 500 seats, minimum 10 seats. For customers with over 500 seats, please call for special pricing. Available for a limited time and subject to change without notice. See website for more details. 






































From: Renewal time, here comes 
the pain again 

To: Predictable pricing & 
consistent support 




NO-NONSENSE 
WEB FILTERING 


That's what you'll get when you switch to iPrism from 
St Bernard - the award-winning web filter that's easier in 
every way, and less expensive to own. 

iPrism is changing the way companies and schools every¬ 
where handle their web filtering. With blazing through¬ 
put speeds up to 100+ Mbps, anti-virus protection and 
seamless XenApp and Active Directory integration, iPrism is 
the appliance-based solution of choice for customers and 
institutions of any size. 

Find out more about the easiest-to-deploy, most highly 
rated web filtering solution ever - the industry's ONLY 
Citrix-ready web filtering appliance. 


Call 1.800.782.3762 or go to www.SwitchToiPrism.com/flip 


Stbernard 

FLIP THE SWITCH 

Get your iPrism® Switch Kit today: 

FREE 30-day onsite evaluation 

that can be deployed without any client or 
network changes 

FREE enhanced technical support 

for setting up matching policies, reports & alerts 
based on your current settings 

INCENTIVE PRICING & A FREE T-SHIRT 

just for watching a live demo 




iPrism® h-Series, the world's #1 Web Filtering appliance. 

© 2009 St Bernard Software, Inc. 






